> -----Original Message-----
> From: Ken Claussen [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, March 24, 2001 4:24 AM
> To: 'William Kupersanin'; '[EMAIL PROTECTED]'
> Subject: RE: Access lists
>
>
> Willie,
> you bring up two good points. One from the routers
> perspective it costs less
> (resources) to drop a packet at the external interface due to minimal
> processing.
Actually, this isn't quite correct. From the Cisco point of view it's less
expensive to apply ACLs _outbound_ on the interfaces. This doesn't have
anything to do with internal / external. In this case, the ACLs applied on
the internal interfaces (and they'd need to be applied outbound) would be
less CPU expensive.
> Conversely this makes a more complicated ruleset
> in some cases.
> The benefits of this complication in how lists are applied
> must be weighed
> carefully against [stuff]
Absolutely. I don't recommend applying ACLs outbound unless it's for some
special reason. In general it's better architecture to drop packets as soon
as they're known to be bad. Unless you have a very busy router you probably
won't notice any real performance hit. Mind you, this does sound like a busy
router. ;)
> Ken Claussen MCSE CCNA CCA
> [EMAIL PROTECTED]
> "The Mind is a Terrible thing to Waste!"
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of William Kupersanin
> Sent: Saturday, March 24, 2001 9:19 AM
> To: [EMAIL PROTECTED]
> Subject: Access lists
>
>
>
> Hello,
>
> I am working with someone designing access control lists on a
> router and I
> wanted
> the groups opinion on ACL design. The scenario is that the
> router basically
> has two
> external interfaces (one leading to the world at large and
> one leading to
> dialin
> devices) and a few internal interfaces. [...]
I don't see how applying the ACLs on the external interfaces (inbound) makes
the config much more complex - in fact I think it makes it easier.
If you think about it, to apply ACLs outbound on each internal interface
means that you need several different ACLs. Even if you're using named ACLs,
it still means that when you're reading through the config you need to know
which ACL is applied on each interface. With a single ACL, you could apply
the _same_ ACL on both external interfaces, and it would have all the
traffic that's permitted in one place. Yes, it would be longer, but there
would only be one place to make changes, making it less likely that "permit"
statements are added to the wrong ACL.
> Thanks in advance,
> -- Willie
The only times I've used outbound ACLs have been in conjunction with
reflexive ACLs (which I recommend, unless you're really starved for
cpu/mem). But that's just me.
Cheers!
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
