Solved: extended access lists

tolinrome tolinrome · ‎01-29-2014

I'm practicing using extended access lists and everytime I use them I always use them closest to the source network router, am I doing this wrong? I never see a use to use them on the destination network or host. For example I have a source network that I want to deny a host using telnet on a remote destination router (all the routers are connected using ospf). So what I did was create the acl on the source router, thinking why should the request go accross all these routers just ot be denied at the destination router, so I created the acl on the source router denying access to the remote router. When would I use an extended acl on the remote destination router?

Also with standard access lists, I always end up using them on the source as well, when would I use them on the destination?

Thanks.

Jon Marshall · ‎01-29-2014

You are doing it right ie. if possible try and do it as close to the source as possible to save the packets going all the way to the destination just to be dropped

An example where applying it to the destination network interface would be if you had many source networks you wanted to stop communicating with a specific destination IP. You could configure acls for every source network and apply them to each interface but if there are a lot of source networks this could be a lot of configuration and potentially difficult to manage.

So in that case you could just apply one acl on the destination L3 interface instead.

But like i say the general principle is to apply the acl as close as possible to the source for the reasons you state.

Jon

View solution in original post

Jon Marshall · ‎01-29-2014

You are doing it right ie. if possible try and do it as close to the source as possible to save the packets going all the way to the destination just to be dropped

An example where applying it to the destination network interface would be if you had many source networks you wanted to stop communicating with a specific destination IP. You could configure acls for every source network and apply them to each interface but if there are a lot of source networks this could be a lot of configuration and potentially difficult to manage.

So in that case you could just apply one acl on the destination L3 interface instead.

But like i say the general principle is to apply the acl as close as possible to the source for the reasons you state.

Jon

tolinrome tolinrome · ‎01-29-2014

They say though that standard acl's need ot be placed closet to the desitnation though, which is correct, especially for a Cisco test?

John Blakley · ‎01-29-2014

It's always best to place the acl closest to the source. As Jon stated above, there are a couple of reasons to do destination based, but they're usually rare instances. For Cisco exams, I would always choose anything that's placed on an interface - acls, qos policies, etc - to put it closest to the source.

I'm not sure where you read your information, but the type of acl doesn't really dictate where it should be placed.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Richard Bradfield · ‎01-29-2014

There are number of instances where you can only use the source ( or there is only a source to match on)

In your discussion you want to stop the telnet traffic at the source which is good, but for extra security you will want to put a standard access list on the vty lines( access-class xxx in) to control who can telnet into the remote router/switch,

another example is when you are redistributing routes from say BGP to EIGRP you use a route map to control the routes.

in the route map you match on a standard access list.

HTH

Richard.