Placing ACLs
Proper ACL placement will filter traffic and make the network more efficient. The ACL should be placed where it has the greatest impact on efficiency.
In Figure the administrator wants to deny Telnet or FTP traffic from the Router A Ethernet LAN segment to the switched Ethernet LAN Fa0/1 on Router D. At the same time, other traffic must be permitted. There are several ways to do this. The recommended solution is an extended ACL that specifies both source and destination addresses. Place this extended ACL in Router A. Then, packets do not cross the Router A Ethernet segment or the serial interfaces of Routers B and C, and do not enter Router D. Traffic with different source and destination addresses will still be permitted.
The general rule is to put the extended ACLs as close as possible to the source of the traffic denied. Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible. For example, a standard ACL should be placed on Fa0/0 of Router D to prevent traffic from Router A.
Administrators can only place access lists on devices that they control. Therefore access list placement must be determined in the context of where the network administrator's control extends.
The Interactive Media Activity will teach students where to place ACLs.
The next page will discuss firewalls
No comments:
Post a Comment