Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: about access-list location?

From: "Naman Latif" <naman.latif () inamed com>
Date: Mon, 23 Jun 2003 10:17:08 -0700
"Standard Access List" = Can only filter based on the Source Address.
Because of this limitation, it has to be near the "Destination" host,
which can then make a decision regarding accept\deny the packet.

"Extendid Access List"= Can filter both based on Source\Destination
address (and much more). So its better to place it near the source, so
that packet can be denied (if it is supposed to be) as early as possible
instead of using up all the bandwidth\CPU etc to the destination and
then being dropped, which will be waste of bandwidth.

E.g.
Host1----->Router1----->Router2----->Host3
              |
                  |
                Host2(connected to Router1)

Lets say Host1 can Send packet to Host2 But Host1 cannot send packet to
Host3. Now with

Standard Access List: We cannot apply the list at Router1, since it can
only filter based on Source address (of Host1), so it will also deny
packet to from Host1-Host2 (which is Not required). So we have to place
the Access list on Router2 (near the destination) to only reject packet
to Host3, without effecting the communication between Host1-Host2.

Extendid Access List: In this case , we can apply the access-list to
Router1 (near the soruce) and then create rules to allow Host1-Host2
communication (i.e. filters based on Source\Destination address) But
reject Host1-Host3 communication. Now packet to from Host1-Host3 will be
recjected at Router1 and we will save Bandwidth between Router1-Rouetr2.

Regards \\ Naman



-----Original Message-----
From: SB CH [mailto:chulmin2 () hotmail com] 
Sent: Sunday, June 22, 2003 8:51 AM
To: security-basics () securityfocus com
Subject: about access-list location?


Hello.

I have a question about the "access-list" of the cisco.

 some say, 
 extended access list is located near source and  
 standard access list is located near destination.

 I have no idea why I should like this.



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: