RE: about access-list location?

["Richard Kullmann" <rkullmann () universal-associates com>]

What do you mean by "why I should like this"?

A "Standard" IP access list on a Cisco router filters traffic based only on
the source IP address in the packet.

An "Extended" IP access list on a Cisco route allows you to filter traffic
based on both the source and destination IP addresses as well as the value
of the protocol filed in the IP header and also based on additional
information such as L4 source and destination ports, control field
information (syn, ack), message types (echo, echo-reply, ttl-exceeded, etc).

For example look at the two following access-list conditions:

access-list 1 deny 172.16.32.0 0.0.0.255

access-list 101 deny tcp 172.16.32.0 0.0.0.255 host 192.168.1.2 eq telnet

The first condition (ACL 1) blocks all traffic originating on subnetwork
172.16.32.0.  If you place this condition on the router that connects to
172.16.32.0 you will stop that traffic from getting anywhere.  You would
need to place this condition close to the destination so that traffic would
be allowed anywhere between the source and the destination you are blocking
it from.

The second condition (ACL 2) only blocks traffic that is attempting to
telnet from subnetwork 172.16.32.0 to host 192.168.1.2.  If you place this
close to the destination (192.168.1.2), the packets traverse the network
until they get close to the destination and then they get blocked.  If you
place this close to the source (172.16.32.0), the traffic gets blocked only
if it is attempting to telnet to specific host 192.168.1.2 and it doesn't
waste bandwidth traversing the network.

I hope this helps.

Richard Kullmann


-----Original Message-----
From: SB CH [mailto:chulmin2 () hotmail com]
Sent: Sunday, June 22, 2003 8:51 AM
To: security-basics () securityfocus com
Subject: about access-list location?


Hello.

I have a question about the "access-list" of the cisco.

 some say,
 extended access list is located near source and
 standard access list is located near destination.

 I have no idea why I should like this.

 Thanks in advance.

_________________________________________________________________
보다 빠르고 보기 편한 뉴스. 오늘의 화제는 MSN 뉴스에서 확인하세요.
http://www.msn.co.kr/news/


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------