- Posts: 68
- Thank you received: 0
Interview Question
18 years 5 months ago #15746
by asab
Interview Question was created by asab
Hello there,
I got this question in an interview....
Where should extended access control lists be placed?
Should they be placed as close as possible to the source of the traffic to be denied.
Should they be placed as close as possible to the destination of the traffic to be denied.
I picked the top one. he didn't tell me if i got it right.
let me know, thanks.
I got this question in an interview....
Where should extended access control lists be placed?
Should they be placed as close as possible to the source of the traffic to be denied.
Should they be placed as close as possible to the destination of the traffic to be denied.
I picked the top one. he didn't tell me if i got it right.
let me know, thanks.
18 years 4 months ago #15844
by EX_flux
Replied by EX_flux on topic Re: Interview Question
I would think closer to the destination so the source does not have to process the list. But thats me.
EX
EX
18 years 4 months ago #15846
by d_jabsd
Replied by d_jabsd on topic Re: Interview Question
There isn't a right or wrong answer to this. It really depends on what you are trying to protect and protect yourself from.
filtering traffic in from the internet would be closest to the destination.
filtering traffic out to the internet or in from a local interace would be closest to the source.
adding the word 'extended' to the question is just trying to trip you up, as the same principles apply to standard acls as well.
filtering traffic in from the internet would be closest to the destination.
filtering traffic out to the internet or in from a local interace would be closest to the source.
adding the word 'extended' to the question is just trying to trip you up, as the same principles apply to standard acls as well.
18 years 4 months ago #16016
by ramasamy
Replied by ramasamy on topic Re: Interview Question
Hi
If you are using the extended access list it is better to use it as closer to the source. Because the router need not process it and block it
If it is a standard access list you have to use it neer to the destination
because in standard access list you are going to block by source IP address
but in extended access list you know the source, destination and service so you can block it neer to the source itself.
If you are using the extended access list it is better to use it as closer to the source. Because the router need not process it and block it
If it is a standard access list you have to use it neer to the destination
because in standard access list you are going to block by source IP address
but in extended access list you know the source, destination and service so you can block it neer to the source itself.
18 years 4 months ago #16042
by cisman
Replied by cisman on topic Re: Interview Question
hi all,
d_jabsd and ramasamy are right and i also think the priority is also very crucial for assigning the acls and also the design(ie there would be another route for the destination via another path )so it would be prefered to set acl far way to the source without comprmmising the security to increase the processing pwr and not effecting any future network changes or simply kep it near source if you dont want any intrusion at all.
d_jabsd and ramasamy are right and i also think the priority is also very crucial for assigning the acls and also the design(ie there would be another route for the destination via another path )so it would be prefered to set acl far way to the source without comprmmising the security to increase the processing pwr and not effecting any future network changes or simply kep it near source if you dont want any intrusion at all.
18 years 1 month ago #17949
by djrade
Replied by djrade on topic Re: Interview Question
It is always better to apply access list closest to the source but in some situations you cannot do that with standard access lists.
FOR EXAMPLE:
Your company network (10.0.0.0/ is subneted.
You want to deny access from network 192.168.0.0/24 to one of your's subnetworks (for example 10.10.10.0/24), but you want to allow access to the rest of your network.
standard access list
You can specify only source address, so it should be applied closest to the destination (10.10.10.0/24 network).
access-list 10 deny 192.168.0.0 0.0.0.255
In this case packet will travel through your network (consuming bandwidth) and than be dropped.
If you apply this access list closest to the source, than network 192.168.0.0 would not have access to any of your subnetworks.
extended access list
If you use extended access list you can specify source and destination address:
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
so you can apply it closest to the source (entrance to your network). Only packet destined to 10.10.10.0/24 network will be dropped at the entrance to your network. You preserve bandwidth because packed is dropped immediately (it is not traveling through your network).
FOR EXAMPLE:
Your company network (10.0.0.0/ is subneted.
You want to deny access from network 192.168.0.0/24 to one of your's subnetworks (for example 10.10.10.0/24), but you want to allow access to the rest of your network.
standard access list
You can specify only source address, so it should be applied closest to the destination (10.10.10.0/24 network).
access-list 10 deny 192.168.0.0 0.0.0.255
In this case packet will travel through your network (consuming bandwidth) and than be dropped.
If you apply this access list closest to the source, than network 192.168.0.0 would not have access to any of your subnetworks.
extended access list
If you use extended access list you can specify source and destination address:
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
so you can apply it closest to the source (entrance to your network). Only packet destined to 10.10.10.0/24 network will be dropped at the entrance to your network. You preserve bandwidth because packed is dropped immediately (it is not traveling through your network).
Time to create page: 0.130 seconds