d_jabsd and ramasamy are right and i also think the priority is also very crucial for assigning the acls and also the design(ie there would be another route for the destination via another path )so it would be prefered to set acl far way to the source without comprmmising the security to increase the processing pwr and not effecting any future network changes or simply kep it near source if you dont want any intrusion at all.
Re: Interview Question
12 years 2 months ago #17949
It is always better to apply access list closest to the source but in some situations you cannot do that with standard access lists.
Your company network (10.0.0.0/8) is subneted.
You want to deny access from network 192.168.0.0/24 to one of your's subnetworks (for example 10.10.10.0/24), but you want to allow access to the rest of your network.
standard access list
You can specify only source address, so it should be applied closest to the destination (10.10.10.0/24 network). access-list 10 deny 192.168.0.0 0.0.0.255
In this case packet will travel through your network (consuming bandwidth) and than be dropped.
If you apply this access list closest to the source, than network 192.168.0.0 would not have access to any of your subnetworks.
extended access list
If you use extended access list you can specify source and destination address: access-list 101 deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
so you can apply it closest to the source (entrance to your network). Only packet destined to 10.10.10.0/24 network will be dropped at the entrance to your network. You preserve bandwidth because packed is dropped immediately (it is not traveling through your network).