One of the most important things a designer can do to improve how efficiently a network uses resources is to filter out ill-behaved or unwanted traffic. This is particularly true for chatty protocols that tend to transmit data that is not necessary. A good example of filtering for efficiency comes from IPX networking. In an IPX network, every device that has any sort of service to offer sends out Service Advertisement Packets (SAP). This information then circulates not just over the local segment, but throughout the entire network. Although unnecessary SAP information may not have a significant effect on the bandwidth used in the network, it can have a large impact on the amount of memory that Core routers need to keep track of this information. Specifically, every printer sends at least one SAP; so does every Windows NT workstation.
In a large network, it is difficult enough to ensure that the SAP information regarding important servers is distributed correctly. If there are unneeded SAPs for every printer and workstation, then the amount of required memory can easily exceed the available resources. So this is a good example of the need for filtering. The first router that sees the unwanted SAP information simply discards it without passing it along. The information stays local to the LAN segment where it is used and does not use up key network resources.
Filtering can also restrict malicious, unwanted traffic. For example, some popular Internet-based attacks use certain types of ICMP or packets used in setting up TCP calls. If these packets are not eliminated, they may cause serious network problems. Thus, these specific types of packets can be filtered at the network boundaries.
I want to stress once again that connecting to an untrusted external network without a firewall is foolish. However, in some organizations, these same sorts of problems can arise either because of malicious employees or because of innocently executed malicious programs. In these cases, it may become necessary to filter the unwanted traffic at the user LAN segment level, just as I suggested eliminating unwanted IPX SAP information.
In many networks chatty little unnecessary applications (and network games!) can be easily filtered and prevented from crossing the network. The key is to remove the unwanted traffic as soon as possible. This usually means that the filtering should be applied at the edges of the network. If the network adjoins another network, then the border routers should perform this filtering before the unwanted traffic enters the network. Similarly, if the filtering is to restrict traffic from user LAN segments, then the best place to run the filter is on the default gateway routers for these segments.