Placing Your Controls

When you create ACLs or filters, you must tell the router when to apply them. You’ll want to place them so that your system uses router processing cycles efficiently.

Jason Harper

April 16, 2002

1 Min Read
ITPro Today logo in a gray background | ITPro Today

On any networking device, whether it's a router, switch, network Intrusion Detection System (IDS), or firewall, inbound and outbound are subjective terms that depend on the perspective of the device or the NIC in question. Let's consider the example of a router with two NICs—one that connects to the LAN (eth0) and one that connects to the WAN (eth1).

When you create ACLs or filters, you must tell the router when to apply them and on traffic going in which direction. Therefore, if I want to create an ACL that affects requests coming from the LAN through eth0 and going to the WAN through eth1, I might create an ingress (inbound) filter on eth0. Then, as packets come across the eth0 interface, the router would apply the ACL's rules. Any data that isn't permitted would be dropped before the routing engine sees it.

Using the same example, I might have created an egress (outbound) ACL on eth1 for packets going out. When the interface saw a packet and compared it with the ACL, the interface might drop the packet or let it go through. However, because this approach might drop the packet after it passes through the router processing engine, this strategy can waste valuable router processing cycles. For this example (LAN to WAN), it would be better to process and potentially drop packets as ingress on eth0 before the router engine sees them.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like