|
Because extended access lists can filter
on more than the source address, location is no longer a constraint.
Frequently, policy decisions and goals are the driving force behind
extended-access-list placement. If your goal is to minimize traffic
congestion and maximize performance, you might want to push the
access lists close to the source to minimize cross traffic and host
unreachable messages. If your goal is to maintain tight control over
access lists as part of your network security strategy, you might
want to have them more centrally located.
The following guidelines should be used for extended-access-list
placement:
- Minimize distance traveled by traffic that will be denied (and
ICMP unreachable messages).
- Keep denied traffic off the backbone.
- Select router to receive CPU overhead from access lists.
- Consider which interfaces are affected.
- Consider access-list management and security.
- Consider network growth impacts on access-list maintenance.
Note: For extended access lists, place them as close to the
source router as possible in order to exercise the most control.
|
|