Filter Placement Considerations

 

For the best performance, you must consider not only the efficient design of the access list itself but also the placement of the filter on the router and in the internetwork.

As a rule of thumb, security filters usually are incoming filters. Filtering unwanted or untrusted packets before they reach the routing process, prevents spoofing attacks ”wherein a packet fools the routing process into thinking it has come from somewhere it hasn't. Traffic filters, on the other hand, usually are outgoing filters. This approach makes sense when you consider that the point of a traffic filter is to prevent unnecessary packets from occupying a particular data link.

Aside from these two rules of thumb, another factor to consider is the number of CPU cycles the combined access list and routing processes will use. An incoming filter is invoked before the routing process, whereas an outgoing filter is invoked after the routing process (Figure B.13). If most packets passing through the routing process are to be denied by the access list, an incoming filter may save some processing cycles.

Figure B.13. Incoming packet filters are invoked before the routing process, whereas outgoing packet filters are invoked after the routing process

graphics/bfig13.jpg

Standard IP access lists can filter only on source addresses. Consequently, a filter using a standard list must necessarily be placed as close to the destination as possible so that the source still has access to other, nonfiltered destinations (Figure B.14(a)). As a result, bandwidth and CPU cycles may be wasted delivering packets that will ultimately be dropped.

Figure B.14. Filters that use standard access lists generally must be placed close to the destination (a), whereas extended access lists can be placed close to the source (b).

graphics/bfig14.jpg

Extended IP access lists, because of their capability to identify very specific packet characteristics, should be placed as close to the source as possible to prevent wasting bandwidth and CPU transporting "doomed" packets (Figure B.14(b)). On the other hand, the complexity of extended lists means more of a processing burden . These tradeoffs must be considered when deciding where on the network to place a filter.

You must also understand how your access list will affect switching on the router. For instance, an interface using an extended IP access list cannot be autonomously switched; dynamic access lists cannot be silicon switched and may affect silicon switching performance. Named access lists are not supported at all before IOS 11.2.

The effect of an access list on switching may be critical on backbone or core routers. Be sure to fully research and understand the effects an access list may have by reading the Cisco Configuration Guide for the IOS being used on your router. In some cases, a packet filtering router ”a smaller router dedicated to nothing but packet filtering ”can be used to offload the filtering burden from a mission-critical router.



Routing TCP[s]IP (Vol. 11998)
Routing TCP[s]IP (Vol. 11998)
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 224

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net