Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Cisco
CCST & CCNA (Entry-level & Associate)
Acess list questions
hawaz
Is there a rule whether to assign inbound or outbound access list to an interface ?
1/one documentation says that u mostly assign outbound execpt on telnet
2/another says depends entirely on the network and or protocol
What about the rule assign access list to an interface close to destination if extended and close to source if standard .
I need some clarification.
thanks in advance.
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
M_Boyd
Cool just did this topic a couple of days ago although anyone feel free to correct me if I am wrong on this. Can help you with one part ....
Extended access
lists should be placed nearest the
source
Standard access
lists should be placed at the
destination
The reason for this is because
standard access lists
only use the
source port
whilst the
extended access lists
use
source and destination ports
so you are best placing at the source.
arracapuns
Hi guys,
Yes, this is an interesting topic...
M_Boyd, you are pretty right in what you say, but I may say that you mistake port addresses with IP addresses when you refer to standard access lists.
-Standard access list can check part, or the whole IP source Address. (not ports)
-Extended access lists can check part, or the whole IP source and destination addresses, source and destination port numbers, protocols (tcp, udp, icmp, igrp igmp and others), IP TOS, IP precedende (According to CCNA certification guide by Wendell Odom)
I would add that Extended lists should be placed not only near to the source, but also as INBOUND traffic. The reason is that with extended lists you can specify in high detail the destination, and therefore discard the packet as soon as possible and BEFORE it wastes routing resources. It makes no sense applying it to OUTBOUND traffic and have your router busy with traffic that you know is going to be discarded.
Please, notice that this is not a statement, but my own opinion. Anyway, there can be an scenario in which this logic simply does not apply. If someone of you can think of such an scenario, please let me know...
I hope this is somehow clarifying for you, hawaz.
Good luck.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
