Access List

rakem

So i know that standard access lists are supposed to be placed as close to the destination as possible, and extended access lists are supposed to be places as close to the source as possible.

My question is - why should any access list be placed close to the destination? this means that the packet needs to travel accross the network before it gets denied / permitted. Wouldnt it be better to deny / permit the traffic before it goes accross the network?

BubbaJ

rakem wrote:

So i know that standard access lists are supposed to be placed as close to the destination as possible, and extended access lists are supposed to be places as close to the source as possible.

My question is - why should any access list be placed close to the destination? this means that the packet needs to travel accross the network before it gets denied / permitted. Wouldnt it be better to deny / permit the traffic before it goes accross the network?

The reason for the difference is that an extended list has a source in it so you can actually know where the source is. A standard access list may have sources on many different (perhaps unknown) networks which would require many placements of the list if you are trying to get close to the source.

This is really a general rule, and there are many instances where it may make sense to do just the opposite. It makes sense from a CCNA level.

Danman32

Actually, a standard ACL specifies the source as the test condition.

So, if you have a router with networks 10.1.x.x, 10.2.x.x and 10.3.x.x, and you want to block 10.3.0.5 from getting to 10.1.0.10 but not affect access to 10.2.x.x using the ACL Access-list 10 deny 10.3.0.5 host, you would have to place the ACL at the 10.1.x.x interface otherwise you'll also block access to 10.2.x.x if you place the ACL on the 10.3.x.x interface.
That's assuming you have a permit all below the deny, otherwise the implicit deny will trump all attempts to deny only one or a few IPs.