access-list and interfaces

baracus

My scenario. I have a 2610 router w/ 3 interaces

f 0/0 LAN 1
f 0/1 LAN 2
s 0/0 WAN

I have a Terminal Server on LAN 1. I only want certain ip's from both LAN 2 and the WAN to access the server on tcp 3389. I made an extended acl with the requirements. My logic would tell me to group the acl with interface f 0/0 (LAN 1) outbound. However, as I understand it, Cisco reccomends that extended acls be grouped to the nearest interface as the source packets. This would indicate that I group the acl w/ both the f 0/1 and s 0/0 inbound. I know both will do the job. I am just curious what the "correct" solution is.

Thanks for the help.

Netstudent

Well that rule is just a genral rule of thumb and there are always exceptions to the rule. In a large network that requires traffic shaping and bandwidth saving policies, then you would try your best to follow the cisco ACL rule. But overall you want the access-list to do it's job. If putting an extrended ACL close to the source does not get the job done, well then you have to do something else like deviate from the rule. I think in your case both would work. I don't think there is an incorrect or correct way. The cisco rule is a better BW saving policy, but deviation isn't "wrong" ifit gets the requirements. In this case I would put it on the outbound interface because it's going to be on the same router anyways.