> At 12:13 AM 3/21/96 +1100, Darren Reed wrote:
> >I heard an interesting comment today, from a network engineer, who said
> >that Cisco had told him that using input and output acl's on the same
> >interface would produce unpredictable results and to rewrite the filters
> >to be "all output" or "all input" for a given interface (apparently they
> >tried, but things didn't happen as expected and that was Cisco's advice).
> >Is anyone actually using filters for both input and outut on an interface,
> >if so, what IOS rev., and is there any substance to this (ie buggy revcs of
> >the IOS) or does it just require things to be done "right" ?
> There's no obvious basis for this assertion.
> The only thing that I can think of (which is in no way security related)
> is that perhaps whomever told you this was confusing inbound ACLs and
> outbound ACLs with the impact on switching performance. Each does have
> differences in how it impacts the switching mode, depending on whether
> they are simple or extended ACLs, the version of software running in
> the box, and the router model/platform.
> e-mail: pferguso @
com c i s c o S y s t e m s
I think Paul's right that there's no obvious basis, but a couple of points:
the cisco doc insists there's no effective difference in performance of
input and output filters, although intuition says otherwise. The doc
also counsels that virtually all the performance "hit" comes on the first
packet of the connection. And the ability to affect performance of a
router may have a bearing on a denial of service attack, which is
certainly security related.
W.C. Epperson "I have great faith in fools.
Senior SE Self-confidence, my friends call it."
Information Security Officer --Edgar Allan Poe--
Virginia Dept. of Education