1.5 Access List Overview
1.5.9 Where to place IP access list
An access list can act as a firewall. A firewall filters packets and eliminates unwanted traffic at a destination. Where the administrator places an access list statement can reduce unnecessary traffic. Traffic that will be denied at a remote destination should not use network resources along the route to that destination.

Suppose an enterprise's policy aims at denying Token Ring traffic on router A to the switched Ethernet LAN on router D's E1 port. At the same time, other traffic must be permitted. Several approaches can accomplish this policy.

The recommended approach uses an extended access list. It specifies both source and destination addresses. Place this extended access list in router A. Then, packets do not cross router A's Ethernet, do not cross the serial interfaces of routers B and C, and do not enter router D. Traffic with different source and destination addresses can still be permitted.

The rule with extended access lists is to put the extended access list as close as possible to the source of the traffic denied.

Standard access lists do not specify destination addresses. The administrator would have to put the standard access list as near the destination as possible. For example, place an access list on E0 of router D to prevent traffic from router A.

Interactive Lab Activity  (Flash, 514 kB)
  Before trying the actual lab, you may want to try out this activity to test yourself on the proper command syntax for Standard Access Control Lists (ACLs).
Interactive Syntax Activity  (Flash, 135 kB)
  Try out this activity to test yourself on the proper command syntax for Extended Access Control Lists (ACLs) parameters.