Why are Cisco access-lists bound to a specific interface?

networking access-control-list cisco

This might seem like a simple/dumb question, but for me it is not. Please bear in mind, that I'm not a network administrator, so it's not obvious to me. Anyways, straight to the point:

Why do I need to bind ACL to specific interface ? In other words, why do i have to do:

interface ethernet0
ip access-group 1 in

instead of just telling the router/switch to use ACL (in my example #1) for all incoming traffic ? Personally I can think only about two reasons (below), but I have an odd feeling that there might something else:

a) Optimization. E.g. if hardware uses some ASICs for each network interface, allowing to filter-out incoming traffic before it 'enters' control plane.

b) By convention. This is rather unlikely.

Thanks.


Solution 1:

The router OS tries to keep CPU load as low as possible. Therefore even when interface processor modules do not have their own ASICs they utilize separate packet processing CPU loops/threads.

When ACLs filter out uninteresting packets they just skipped silently, freeing packet queues memory and not affecting CPU.

In fact packet processing of a single 64K serial link could overwhelm a good RISC processor. I've seen this when Cisco 3662 was attacked by CodeRed worm, that used crafted TCP options field to bypass interface fast packet switching path and reach the CPU to be routed, resulting a sustained 100% load.

Solution 2:

Well, I would say they do it for granularity and to actually make things much easier to understand so there isn't any confusion created. Of course, to make things easier for really specific scenarios Cisco could implement some sort of command, in global mode, that could easily make you apply "ip access-group 1 in" to multiple interfaces, but I think this could also be easily achieved with the "interface range" command.

Furthermore, the scenario that you are probably having right now it's very specific, as to get more control you need ACL's to be more specific, so a rule that would work for inbound traffic might not be that great for outbound traffic, and the same is quite similar with the interfaces that are part of different purpose zones that you define in your network (WAN, LAN, DMZ etc.), but for which traffic could be routed by the same router device.

Related

How to setup port forwarding on Google Cloud
Storage Pools: Extending virtual disk after expanding Azure Disk
Trying to determine the correct number of XFS allocation groups for postgresql server on Linux
Authentication with pgpass not working
AWS EC2 public IP unreachable over IPSec VPN but private IP still reachable
Error in crontab file: bad day-of-week
How to use nginx as reverse proxy send all requests to varnish
Extend linux filesystem space on Amazon EC2 instance
Impossible to change subnet in Ubuntu
Mac sed not the same as linux
Downgrade Windows Enterprise to Enterprise LTSC
Apache 'Header set' functions differently across browsers