1

This might seem like a simple/dumb question, but for me it is not. Please bear in mind, that I'm not a network administrator, so it's not obvious to me. Anyways, straight to the point:

Why do I need to bind ACL to specific interface ? In other words, why do i have to do:

interface ethernet0
ip access-group 1 in

instead of just telling the router/switch to use ACL (in my example #1) for all incoming traffic ? Personally I can think only about two reasons (below), but I have an odd feeling that there might something else:

a) Optimization. E.g. if hardware uses some ASICs for each network interface, allowing to filter-out incoming traffic before it 'enters' control plane.

b) By convention. This is rather unlikely.

Thanks.

zbro
  • 27
  • 6
  • It is because it is unlikely that you want to use one ACL on _all_ the interfaces. Usually it is just one interface, or a subset of interfaces. You could certainly apply any ACL to all your interfaces, but for an ACL that affects a network or host reached through a single interface, it really does not make sense to apply that ACL to all the other interfaces. As it is you could have different ACLs for different interfaces, and that is very common. – Ron Maupin Oct 19 '20 at 23:45

2 Answers2

2

Well, I would say they do it for granularity and to actually make things much easier to understand so there isn't any confusion created. Of course, to make things easier for really specific scenarios Cisco could implement some sort of command, in global mode, that could easily make you apply "ip access-group 1 in" to multiple interfaces, but I think this could also be easily achieved with the "interface range" command.

Furthermore, the scenario that you are probably having right now it's very specific, as to get more control you need ACL's to be more specific, so a rule that would work for inbound traffic might not be that great for outbound traffic, and the same is quite similar with the interfaces that are part of different purpose zones that you define in your network (WAN, LAN, DMZ etc.), but for which traffic could be routed by the same router device.

Alex andru
  • 51
  • 3
1

The router OS tries to keep CPU load as low as possible. Therefore even when interface processor modules do not have their own ASICs they utilize separate packet processing CPU loops/threads.

When ACLs filter out uninteresting packets they just skipped silently, freeing packet queues memory and not affecting CPU.

In fact packet processing of a single 64K serial link could overwhelm a good RISC processor. I've seen this when Cisco 3662 was attacked by CodeRed worm, that used crafted TCP options field to bypass interface fast packet switching path and reach the CPU to be routed, resulting a sustained 100% load.

Oleg Kirillov
  • 24
  • 3