Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: Interview Question

Interview Question 12 years 5 months ago #15746

  • asab
  • asab's Avatar Topic Author
  • Offline
  • Frequent Member
  • Frequent Member
  • Posts: 68
  • Thank you received: 0
Hello there,

I got this question in an interview....

Where should extended access control lists be placed?

Should they be placed as close as possible to the source of the traffic to be denied.

Should they be placed as close as possible to the destination of the traffic to be denied.

I picked the top one. he didn't tell me if i got it right.

let me know, thanks.

Re: Interview Question 12 years 5 months ago #15844

I would think closer to the destination so the source does not have to process the list. But thats me.


Re: Interview Question 12 years 5 months ago #15846

There isn't a right or wrong answer to this. It really depends on what you are trying to protect and protect yourself from.

filtering traffic in from the internet would be closest to the destination.

filtering traffic out to the internet or in from a local interace would be closest to the source.

adding the word 'extended' to the question is just trying to trip you up, as the same principles apply to standard acls as well.

Re: Interview Question 12 years 5 months ago #16016


If you are using the extended access list it is better to use it as closer to the source. Because the router need not process it and block it

If it is a standard access list you have to use it neer to the destination

because in standard access list you are going to block by source IP address

but in extended access list you know the source, destination and service so you can block it neer to the source itself.

Re: Interview Question 12 years 5 months ago #16042

hi all,
d_jabsd and ramasamy are right and i also think the priority is also very crucial for assigning the acls and also the design(ie there would be another route for the destination via another path )so it would be prefered to set acl far way to the source without comprmmising the security to increase the processing pwr and not effecting any future network changes or simply kep it near source if you dont want any intrusion at all.

Re: Interview Question 12 years 2 months ago #17949

It is always better to apply access list closest to the source but in some situations you cannot do that with standard access lists.

Your company network ( is subneted.
You want to deny access from network to one of your's subnetworks (for example, but you want to allow access to the rest of your network.

standard access list
You can specify only source address, so it should be applied closest to the destination ( network).
access-list 10 deny
In this case packet will travel through your network (consuming bandwidth) and than be dropped.
If you apply this access list closest to the source, than network would not have access to any of your subnetworks.

extended access list
If you use extended access list you can specify source and destination address:
access-list 101 deny ip
so you can apply it closest to the source (entrance to your network). Only packet destined to network will be dropped at the entrance to your network. You preserve bandwidth because packed is dropped immediately (it is not traveling through your network).
  • Page:
  • 1
Time to create page: 0.157 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup