Quick question about ACLs. How do you know whether to put it on an inbound or outbound interface, and how do you determine which router to put it on in a multiple router network?
- posted
17 years ago
ACL
Loading thread data ...
- Vote on answer
- posted
17 years ago
All depends what you are trying to achieve. If you are simply blocking a port or service because of risk, then you should block it at the closest spot, which would be inbound on a directly connected interface. However, if it is a general block like the worms from few years back, this ends up being tedious as you have to add it on each vlan. In that case, and assuming perhaps you had a wan site that did not have its own internet connection, you could block on the inbound interface on the WAN router.
The bottom line is that there is no yes or no way to do ACLs, it all comes down to what you are trying to accomplish, and what you are trying to permit or deny. But if you are trying to be as complete and secure as possible, the general rule of thumb is ACLs at the closest interface to the source of the traffic.