Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access Lists and Interfaces

With the doccumentation I've been reading, there has been a strong tendancy to apply the access lists to the serial interfaces, even when applying it to the ethernet inerface would require less enteries and not waste the routers time routing the packets before they get dropped.

Anyone have any insight into this one?



Re: Access Lists and Interfaces

You are correct: in general, it is more efficient for the router or L3 switch to filter out traffic through the use of inbound ACLs, before the traffic gets routed. Making the routing decision, then dropping the packets when they don't clear the outbound ACL on an interface, just wastes CPU time. On the L3 switches that's not so bad, it's more an exercise in optimization. On an access router, it could actually affect packet throughput.

Sometimes, though, it is useful to use outbound ACLs: in a highly security-conscious environment, they can serve as a backup to inbound ACLs, in case a restrictive inbound ACL is temporarily taken off an interface. It's a lot of extra work, though, coordinating the outbounds of one interface with the inbounds of all the others; and changing one can force the need to change all the others. And double-checking the packets on each router hop does chew up twice the CPU cycles, which coulad affect throughput as noted previously. But that's the price some are willing to pay for airtight security. (Personally, I try to get it all done with inbound access lists only, when possible. But I don't refuse to use outbound ACLs: sometimes it just makes more sense to sacrifice CPU cycles on one box in order to get ease of maintenance on all the others.)

A good working rule of thumb: standard ACLs are easier assigned closer to the source IP subnets they're filtering; while extended ACLs are better assigned closer to the destination IP subnets they're protecting. (Of course, there are always exceptions.)

A handy optimization technique is to review your ACL rules occasionally, and see how often they're being executed. In general, the more frequently executed ones should appear sooner in the ACL, to minimize the number of CPU cycles used. (An exception to this would be, if you have to deny access to a few IPs while permitting the rest through: if you flip the order, things may be permitted to get through to those restricted IP addresses before a later ACL line has a chance to block them.)

Hope this helps.


Re: Access Lists and Interfaces

Thats the general feeling but this link has an eye opening discussion that explains why inbound access lists actually put more load on a router than outbound lists.


Re: Access Lists and Interfaces

That's some good food for thought. Thanks for the link. It seems from face value that an inbound is good for security, but outbound is more efficent. I'll keep digging for more examples of just how that is, cause I'm still cought up in the simplistic arithmetic of:

ACL < ACL + Routing