Interface question about ACLs

Could someone clarify an issue with extended ACLs, where you have more than one router, and you need to apply it to an interface - on whichever router closest to the source you apply it to, how do you determine which interface it will be applied to again? It's not really clear to me, and I want to make sure I have it right.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

larkspur

extended ACL's are applied as close to the source address as possible adn standard acl's are applied as close to the destination as possible.

networker050184

You would place it on whatever interface the desired blocked traffic would be entering on (or exiting). Say you wanted to block a certain subnet from accessing your web server, you would place that list on the interface the subnet is connected to so you can drop the traffic before it gets routed to the destination. This prevents wasting CPU power routing traffic that is going to be dropped when it reaches the destination anyway.

Crunchyhippo

networker050184 wrote:

You would place it on whatever interface the desired blocked traffic would be entering on (or exiting). Say you wanted to block a certain subnet from accessing your web server, you would place that list on the interface the subnet is connected to so you can drop the traffic before it gets routed to the destination. This prevents wasting CPU power routing traffic that is going to be dropped when it reaches the destination anyway.

Ok, this helps. So if I'm on router A, which goes to B, and I want to keep people on B out, it would all depend on my access-list statement and whether I put permit or deny as to whether I would apply the list to the fast ethernet or serial interface, wouldn't it? It I had a deny statement here, I would apply it incoming and to the serial interface, right? Would there be a scenario where I would apply it to the fast ethernet interface here instead of the serial going to router B?

networker050184

Cisco says place extended access list close to the source. Going by that you would place the access list on the ethernet port connected to the LAN those particular hosts are on. You could also place an outgoing access list on the serial connected to your other router. There are several ways it can be done, but the Cisco way is extended ACL close as possible to host and standard as close to the destination to prevent unessecary filtering of traffic.