Dave,
Cisco ACL's work in a top down, first match wins case. For example:
permit ip any any
deny ip any any
In the above example, nothing would get denied because all packets match the
first rule. The rule of thumb is to deny everything, then permit only what
you want:
deny ip any any
permit tcp any any eq 80
Try to avoid using the logging function whenever you can. I usually use it
when verifying that the rules are working correctly then I remove the
logging. Logging as well as packet matching can put a heavy strain on
low-end routers with minimal amounts of RAM. The performance hit I saw was
about 5-15% load on my router with two T1's fully loaded with traffic. Hope
this helps...
David Ishmael, CCNA, IVCP
Senior Network Management Engineer
Windward Consulting Group, Inc.
Phone: (703) 283-7564
Pager: (888) 910-7094
eFax: (425) 969-4707
Fax: (703) 351-9428
mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Dave Vogler
Sent: Tuesday, May 01, 2001 9:41 AM
To: firewall discussion list
Subject: Cisco access list technique
Hi all,
I'm a bit of a newbie to my Cisco router, but I'm attempting to set up
an access list to firewall my LAN from the internet.
Is there a preferred order for my permit and deny statements? I've
heard that its best to put all your permit statements first, then your
denys.... will this affect throughput speed? Are packets substantially
slowed down because the router has to examine every one?
And if an access list implicitly denies all that are not permitted, why
even bother with deny statements?
Thanks in advance,
Dave Vogler
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
