Hence, applying the ACL on Router C is
more appropriate than on Router A or Router B.
When using an extended ACL, apply the ACL filter closest to the source Router A ingress point into the
network. This is recommended because with extended ACL, filter packets are based on the
source/destination IP address and source/destination ports, and so on, and are much more granular in
nature than standard ACL. Therefore, dropping the packet closer to the ingress point into the network is
more appropriate. Although dropping the packet closer to the destination will achieve the same result, it
will cause unnecessary resource consumption on the traversing routers. The packet is traversing the entire
network, chewing up resources and eventually being dropped at the destination Router C. Hence it is best
to drop the packet closer to the source (ingress) within the network by applying the ACL on Router A
instead of Router B or Router C.
Figure 2-2. Where to Apply ACL??”Considerations
[View full size image]
For some protocols, up to two ACLs can be applied to an interface: one inbound ACL and one outbound ACL.
With other protocols, only one ACL is allowed, and this list checks both inbound and outbound packets.
Pages:
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85