Access-list question

[charleskoh04]

Hi,

I have a router which the e0 is connected to network A and the S0 is connected to network B.I wanted to limit access from network B to A.

question: The access list is to be placed on e0(out) or s0(in) and why ?

Secenrio :
I have placed the access-list on s0(out) previously and it blocked some of the ports trying to access from network B(I have done a show log and show accesss-list to come to this statement)which are supposed to be allowed. I am curious as the access list is placed on the s0(out) not (in) and it should not have any effect on the incoming packets.

Any advice or comments will be greatly appreicated.

 

[Cooky]

The access list can be placed on either interface.
1. Create a standard list on e0, outbound.
or
2. Create an extended list on s0, inbound

I forgot if routing is done after the process of ACL. If it is, you may be able to save CPU processing by placing it on s0.

 

[spidey07]

sounds like you need simple access lists (based only on IP address)

best to place closest to the source. Inbound from network B on S0.

 

[cmetz]

charleskoh04, always place ACLs on the ingress interface if possible because it minimizes the amount of processing that the router has to do on packets it's going to drop anyways. In many newer boxes, interface ACLs are processed in hardware and so ingress ACLs mean the switching/forwarding engine and CPU never even need to see the packet, which is the best case for performance.