From: Packet Man (ccie2b@hotmail.com)
Date: Wed Feb 18 2004 - 11:01:45 GMT-3
Actually, Tom, there's not much difference in effect - the denied packets
will either be dropped when they try to enter the router or they'll be
dropped when they try to leave the router. Either way the denied packets are
dropped.
For example, let's say you need to block pings from users on the inside to
all ip addresses on the outside and you have a 2 interface router where 1
interface is a LAN interface on the inside and the other is a WAN interface
connected to the outside.
Once you create your access-list, you need to apply it to an interface. If
you apply it to your LAN interface, the pings will get dropped at the LAN
interface before being processed by the router's cpu, before a table lookup
is done and before the packets are switched to the WAN interface. As a
result, you save a bit of router resources.
If, however, you apply the access-lilst to the outside WAN interface, all
those things get done only for the packet to be dropped at the WAN interface
- a waste of a bit router resource.
HTH, PM
>From: Tom Young <gitsyoung@yahoo.co.jp>
>Reply-To: Tom Young <gitsyoung@yahoo.co.jp>
>To: ccielab@groupstudy.com
>Subject: Access-list 's in and out
>Date: Wed, 18 Feb 2004 20:01:49 +0900 (JST)
>
>Hi, group
>
> I always confused with one access-list question, what
>is the different between set the in list on inside
>interface and set the out list on outside interface.
>
>Thanks alot
>
>__________________________________________________
>Do You Yahoo!?
>http://bb.yahoo.co.jp/
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:50 GMT-3