I have the following network topology (from outside to inside):
Router <=> Firewall <=> Multilayer Switch <=> L2 Switches <=> PC & Servers
One of my Servers is Web-server and there is a requirement to eliminate the access to the Web-Site (which is resides to this Web-Server) to specific range of public IP Addresses.
For instance my Web-Server has the Private IP Address 10.10.10.10 and via static NAT at my firewall takes place the translation to one Public IP Address 20.20.20.20
In order to implement the requirement I have two basic options:
1)Set ACL at Router to the appropriate physical Gigabit interface
In this instance I am using the internal gigabit interface towards my Firewall. In order to construct the ACL I am using for the destination IP Address the public IP (20.20.20.20). In this case every packet from the internet must be inspect by this ACL before enter to my local network.
2)Set ACL at Multilayer Switch to the appropriate Vlan Interface.
In this instance I am using the corresponding Vlan interface (at the same network of my Web servers). In order to create the ACL I utilize for the destination Address the private IP Address (10.10.10.10) as now there has been executed the NAT translation. In this case the I constraint the inspection only to a specific VLAN but also at the same time many unwanted packets come into my local network up to the Mutlilayer Switch.

Which of these two methods could be assessed more ideal in terms of performance and security?