Need clarifications on ACLs.

feng.lianfeng.lian Member Posts: 47 ■■□□□□□□□□
As we all know, Cisco's recommendations for standard ACLs is to put them as close to destination as possible and extended as close to source as possible. However, if you look at one level deeper, the goal of those policies is to not block too much access for standard ACLs by putting them close to destination and reduce network traffics for extended ACLs by putting them close to source. The first goal is kind of a requirement that is nonnegotiable because you really don't want to block what you shouldn't. The second goal is more about optimization and there seems to be room for compromise.

If I understand ACLs correctly, by blocking access from host A to host B also bocks host B from accessing host A since there is no way for returning traffics to pass.

Keeping the two previous paragraphs in mind, in a case where it is clear which hosts or subnets are the source and which are the destination, choosing the location of the access list is simple, but what if the destination and source are interchangeable. I.e. what if the goal is to deny access two locations from each other without a clear destination and source.

Sure, in that situation, if you arbitrarily choose a source and destination and apply the standard or extended ACL with Cisco's recommendation, it would work since the ACL will deny forwarding traffics as well as returning traffics. This solution would be best if you wish to minimize the number of ACLs used to one.

However, if your goal is to minimize network traffic, wouldn't it make more sense to create two ACLs and apply one of each on a different router interface? This solution not only reduces traffic, but also saves host processing time since they wouldn't have to process requests and send back replies which would be blocked anyway on their return path. The trade off would be that we would now have two routers (or two interfaces on one router) that will have to check ACLs and spend CPU cycles. However, if it is two routers and not two interfaces on the same router, that would kind of balance the load.

So, now my question is, in an ICND1 exam environment, how should I implement ACLs when the destination and source are blurred? I'm pretty sure the Odom book has no recommendations for that or maybe I missed something. Also, I really don't think asking this is some kind of brain **** because I think I do know how ACLs work technically. I also do understand what are Cisco's recommendation and more importantly WHY those recommendations are made. It is specifically because I understand the WHY that I'm making this post for clarifications.

I'm also interested in knowing what would a network engineer do in real life. Here are the situations I can think of.

1) What if we have a situation where there are three routers, subnet A connected to router A connected to router B connected to router C connected to subnet C. We want to block traffic between subnet A and subnet C. What if the router that is in between, router B, is a much more powerful router than routers A and C, and ACLs can be checked extremely fast. Also, routers A and C already have huge ACLs on their interfaces for other reasons. Would that be a good situation where we should maybe put two ACLs on router B, one on each interface. This would violate Cisco's recommendations, no matter where you define as source and where you define as destination, but wouldn't this make more sense?

2) Using the same network in the first sentence of the previous paragraph. What if is the link between router A and router B and the link between router B and router C are WAN links which are slow and they are already congested. In that case, wouldn't it make sense to minimize traffic to the extreme and use two ACLs?

Sorry for the wall of text and thanks for reading.


  • ZZOmegaZZOmega Member Posts: 24 ■□□□□□□□□□
    Indeed a good question. Although your explanation created a wall of text, it helped me understand where you're coming from and to what extent you know the material. I've barely even looked up anything Network-related since I received my CCNA in June, so the following will be comprised of personal preference, as well as what knowledge I'm able to salvage.

    Before I answer any specific questions, I am curious as to the other tasks that Router B is performing. I would imagine that Router B is by itself, with only 2 ports that are being utilized by Routers A and C, since you did not indicate that any other traffic will be passed through Router B unless it originates from either Subnet A or Subnet C. So, in this situation, I gather that Router B is mostly acting as an expensive, ACL-capable repeater, yes? :P

    In my opinion, worrying about processing power will come before any concern of unnecessary traffic passing through a certain link. If implementing a certain ACL will demand more of the processor than is available, ALL traffic passed to the router will be compromised.

    Also, I'm pretty sure that Cisco promotes these concepts only as a general rule of thumb, and when faced with complicated situations such as this, a compromise/balance would probably be best. Then again, they'd probably also recommend you to buy better routers to replace A and C :P

    Regarding your first question;

    I agree. Of course there are many factors to be considered here, and based on those factors, a better solution may present itself. But for this situation and the lack of information, Standard ACL's on router B seems like the best solution, in the out direction of course.

    As for the second question, I would analyze Router B and confirm that it has sufficient processing power to endure this task.

    If we're talking about a closed network, and Router B is powerful enough, this move shouldn't have a noticeable effect on your network performance.

    If the network needs access to the internet, I would assume that Router B is the border router, since it's the most powerful. In this case, I would advise you to pursue other options instead, since performing an ACL on every packet destined out each interface seems like it would degrade network performance considerably. The only way out that I can see, is giving both Routers A and C internet access as well, but that in of itself would defeat the purpose of this entire discussion.

    In advance, I apologize for anything I wrote that could cause confusion, it is 3am for me here. :)

    Hope this helps,
  • stuh84stuh84 Member Posts: 503
    Some of this comes more into the scope of the CCNP, but in terms of processing power and how everything is used, on a router, everything goes straight to the control plane (in effect the software side) to deal with every packet. They may take part in CEF, but this isn't guaranteed (if it is turned off for example.)

    On something like a layer 3 switch, the ACLs will get broken down into what is called the TCAM table. This means that a packet will go through the TCAM table to see if it matches the criteria (e.g. drop this packet as it is coming from this source) whereas anything that doesn't match will get forwarded at wire speed. Combined with CEF, this means that for a lot of traffic, it goes a similar path, if not the same each time, and therefore doesn't need a lookup every single time. This is done a lot faster than processing each individual packet. This will be why in general, switches are used at the access layer, with individual access control placed as close to the users as possible, and routers are in the core making the policy/routing decisions. Sometimes this line can get a bit blurry, but thats how it tends to be.

    Also, an explanation Ivan Pepelnjak gave about CAM style memory is that it doesn't work on the basis that each byte of the memory is searched through to find an entry, it instead works on a basis similar to asking the memory if it has an entry, and the memory replies with a yes or no.

    This may go a bit above and beyond what you need to know, and you can probably find much better and more in depth explanations on this, but the best way to think of it is the CCNA, like it does with practically all topics in it, is only really touching the surface of what goes on :)
    Work In Progress: CCIE R&S Written

    CCIE Progress - Hours reading - 15, hours labbing - 1
  • feng.lianfeng.lian Member Posts: 47 ■■□□□□□□□□
    Thanks for all the answers, although I didn't understand most of them. I should have put more emphasis that my main goal for asking is to know how I should proceed in a CCNA exam environment.

    By the way, I just passed the ICND2 exam today, 932/1000. I knew I made a mistake on an early frame relay question like almost right after I clicked next which really unsettled me. Also, I was rushed the whole time and finished with only less than 3 mins. Well, I'm glad it turned out okay in the end.
  • wireratwirerat Member Posts: 251
    feng.lian wrote: »
    By the way, I just passed the ICND2 exam today, 932/1000.
    Congrats on the pass! icon_cheers.gif
  • feng.lianfeng.lian Member Posts: 47 ■■□□□□□□□□

    Now, I'm thinking of going for the MCITP Enterprise Admin while looking for work with my CCNA. I'll probably work for maybe a year then start studying for the CCNP. I think I read somewhere that a CCNP isn't gonna be worth much without actual experience and that is the point I am right now. Just graduated from university and almost no experience in the IT field. Looking for work is not gonna be fun...
Sign In or Register to comment.