Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
255
Views
0
Helpful
2
Replies

access-list newbie question

michaeljoekelly
Level 1
Level 1

‎04-26-2003 07:13 AM - edited ‎03-02-2019 06:56 AM

I was reading Cisco CCNA Exam 640-607 book by Odom and have a question about Example 8-7.

The author states that Cisco recommends placing access lists as close as possible to the packet's source.

In his example, though he chooses to apply the access-list on the two out serial ports rather than on the one in ethernet interface where the packets actually originate.

Is there some good reason for choosing out instead of in?

Is there a tradeoff of examing all incoming packets vs. examing a subset after the routing decision has already been made?

The example shows this as the correct configuration::

interface serial0

ip address 172.16.13.3 255.255.255.0

ip access-group 101 out

interface serial1

ip address 172.16.12.3 255.255.255.0

ip access-group 101 out

access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp

access-list 101 permit ip any any

I want to know why the following is not more efficient or more correct since it would be closed to the packet's source:

interface ethernet0

ip address 172.16.3.1 255.255.255.0

access-group 101 in

access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp

access-list 101 permit any any

Labels:
0 Helpful
2 Replies 2

rsissons
Level 5
Level 5

‎04-27-2003 05:17 PM

Checking an access list does introduce a significant overhead. If the router had multilple LAN interfaces and only some traffic was to be routed over the serial interfaces , then you may not wish to incurr the overhead of having every frame leaving the lan processed for the access list, in which cas it makes more sense to put it on the outbound serial interfaces.

0 Helpful

vikas.arya
Level 1
Level 1

‎04-28-2003 05:39 AM

Hi,

In my poing of view, the interpretation of the statement "The access list shd be put closer to the packet source" is different. Actually, it is talking closer in terms of router, not in terms of interfaces. If you read first line of page 508, it says "It is close to the source, being in R3." The statement doesn't talk about the interfaces at all. Also, it doesn't matter much, whether it is on serial or ethernet, because in any case, all the packets coming from Bob's pc will be checked once at serial/ethernet interface. May be, the author put on serial to maintain the consistency with other examples.

0 Helpful
Customers Also Viewed These Support Documents