Interview Question

Hello there,

I got this question in an interview....

Where should extended access control lists be placed?

Should they be placed as close as possible to the source of the traffic to be denied.

Should they be placed as close as possible to the destination of the traffic to be denied.

I picked the top one. he didn't tell me if i got it right.

let me know, thanks.

I would think closer to the destination so the source does not have to process the list. But thats me.

EX

There isn't a right or wrong answer to this. It really depends on what you are trying to protect and protect yourself from.

filtering traffic in from the internet would be closest to the destination.

filtering traffic out to the internet or in from a local interace would be closest to the source.

adding the word 'extended' to the question is just trying to trip you up, as the same principles apply to standard acls as well.

Hi

If you are using the extended access list it is better to use it as closer to the source. Because the router need not process it and block it

If it is a standard access list you have to use it neer to the destination

because in standard access list you are going to block by source IP address

but in extended access list you know the source, destination and service so you can block it neer to the source itself.

hi all,
d_jabsd and ramasamy are right and i also think the priority is also very crucial for assigning the acls and also the design(ie there would be another route for the destination via another path )so it would be prefered to set acl far way to the source without comprmmising the security to increase the processing pwr and not effecting any future network changes or simply kep it near source if you dont want any intrusion at all.

It is always better to apply access list closest to the source but in some situations you cannot do that with standard access lists.

FOR EXAMPLE:
Your company network (10.0.0.0/ is subneted.
You want to deny access from network 192.168.0.0/24 to one of your's subnetworks (for example 10.10.10.0/24), but you want to allow access to the rest of your network.

standard access list
You can specify only source address, so it should be applied closest to the destination (10.10.10.0/24 network).
access-list 10 deny 192.168.0.0 0.0.0.255
In this case packet will travel through your network (consuming bandwidth) and than be dropped.
If you apply this access list closest to the source, than network 192.168.0.0 would not have access to any of your subnetworks.

extended access list
If you use extended access list you can specify source and destination address:
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
so you can apply it closest to the source (entrance to your network). Only packet destined to 10.10.10.0/24 network will be dropped at the entrance to your network. You preserve bandwidth because packed is dropped immediately (it is not traveling through your network).