Access-list

steveo1985

I have a placement question:

I know that you put extended access-lists closer to the source
I know that you place standard access-lists closer to the destination

in this example (made by me), I have a Host on the left of the figure Called HostA a router (router1) to the right of hostA (ethernet 0 connected to the Host) (serial 0 connected to a second router - router2) and a web server to the right of router2 in the figure.

HostA has been denyed access to the web server......

does placement of the access-list matter as to what router the list is placed on? So for extended access-lists would that be placed on router1 and standard on router2?

or does it refer to the interface on which the access-list is placed for example if i take router1....

i place the access-list on the router for a standard access-list with #ip access-group out (because the packets flow from left to right) on interface serial 0 as its closer to the destination? and for extended i place the list on ethernet 0 with the command #ip access-group in?

or is it both

im so confused :P

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

dtlokee

The "place standard closer to the destination, place extended closer to the source" rule is a general guideline. If it accomplishes the goal then go with it. The reason for placing the standeard closer to the destination is because it blocks all of IP from a specified source, so placing it on the interface connected to the destination subnet allows you to block or allow access only to that subnet. Now in real life you'll most likely not be using standard ACLs on an interface (except for things like preventing spoofing of source IP addresses).

steveo1985

thanks for the quick reply

its very useful, i thought it was a rule that had to be followed and im gald its a guideline as some questions i've answered only allow you to open a connect with a single router of their choice and place the list on that router. I follow the flow of the packet and apply it to the interface that points "out" if possible as its the best place to put a list.

networker050184

For Cisco exams it would be a good idea to follow the Cisco "best practices," but like dtlokee stated in a real world situation you could put it any where as long as the desired outcome is acheived.

dtlokee

steveo1985 wrote:

thanks for the quick reply its very useful, i thought it was a rule that had to be followed and im gald its a guideline as some questions i've answered only allow you to open a connect with a single router of their choice and place the list on that router. I follow the flow of the packet and apply it to the interface that points "out" if possible as its the best place to put a list.

If you run into a case where you can only console into a single router, don't forget you can also telnet to other routers. Use "show cdp neigh detail" and get the IP address then use telnet.

For an exam if there are 2 ways to do somthing and one follows the "best practice" and on does not, use the method that does.