Most administrators deduce quickly that if packets can be
discarded as early as possible, this will reduce bandwidth requirements on links
and router CPU cycles used to process packets that are going to be dumped
anyway. Unfortunately, with standard ACLs, the only criterion for making the
determination to permit or deny is the source address—the destination is
unknown. Standard access lists are generally placed as close to the destination
network segment as possible to exercise the most control. For example, in Figure 2-3 in
the preceding section, a standard ACL blocking a certain Internet address from
entering the Rtr2 LAN would need to be placed on the Rtr2 e0 interface outbound.
While s0 on Rtr1 would save more router resources, it would also block access to
the Rtr1 LAN. Similarly, applying it to s0 on Rtr2 would work for now, but what
if additional interfaces are used later? They would also be blocked.
Looking at Figure 2-3, if ACL 20 had been placed inbound on the
Serial 1 interface of Rtr1 or outbound on s0 of Rtr2, this would have saved
resources, but this would also have blocked access to the Internet for hosts
192.168.2.1 to 192.168.2.19 and 192.168.2.21 to 192.168.2.30.
Sections
Comments (0 posted)
Syndication
