Re: Adding security with ACLs

Fri, 06 Oct 2000 12:52:32 -0700 

The only thing I suggest is to keep the ACL as short as possible.  I would
also enable flow based IP route caching (IP route-cache flow) on any
interfaces processing the ACL.  Flow based route caching provides a more
efficient means for processing extended ACLs and will reduce the CPU
utilization over standard (fast) route caching.

I would also try in all cases to apply the ACL as an inbound ACL.  This will
only impact the performance on a particular interface and not the router as
a whole.  Keep in mind, that when you apply ACLs, the router is now process
switching.

Hope this helps...

""Charles D. Burke"" <[EMAIL PROTECTED]> wrote in message
8r12q2$5jq$[EMAIL PROTECTED]">news:8r12q2$5jq$[EMAIL PROTECTED]...
> I am working mostly with Cisco 2600 routers and was considering using ACLs
> to add more security.  The network I administer has a firewall behind an
> access router connected to the Internet.  I am thinking about ACLs such
as:
> Allowing ICMP only from subnets our few other locations are on (so I can
> troubleshoot between offices)
> Same for Telnet access to VTY.
>
> Does anybody have suggestions for or against this?  I know adding ACLs
will
> increase the load on the routers but when will performance suffer
> significantly?  Currently the processor averages about 15%.
>
> Any other suggestions or resources for tightening security would be
> appreciated.
>
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to