Access List

rakem

So i know that standard access lists are supposed to be placed as close to the destination as possible, and extended access lists are supposed to be places as close to the source as possible.

My question is - why should any access list be placed close to the destination? this means that the packet needs to travel accross the network before it gets denied / permitted. Wouldnt it be better to deny / permit the traffic before it goes accross the network?

BubbaJ

rakem wrote:

So i know that standard access lists are supposed to be placed as close to the destination as possible, and extended access lists are supposed to be places as close to the source as possible.

My question is - why should any access list be placed close to the destination? this means that the packet needs to travel accross the network before it gets denied / permitted. Wouldnt it be better to deny / permit the traffic before it goes accross the network?

The reason for the difference is that an extended list has a source in it so you can actually know where the source is. A standard access list may have sources on many different (perhaps unknown) networks which would require many placements of the list if you are trying to get close to the source.

This is really a general rule, and there are many instances where it may make sense to do just the opposite. It makes sense from a CCNA level.