10.4 Configuring Extended Access Lists
10.4.6 Location of extended access lists
Because extended access lists can filter on more than the source address, location is no longer a constraint. Frequently, policy decisions and goals are the driving force behind extended-access-list placement. If your goal is to minimize traffic congestion and maximize performance, you might want to push the access lists close to the source to minimize cross traffic and host unreachable messages. If your goal is to maintain tight control over access lists as part of your network security strategy, you might want to have them more centrally located. 

The following guidelines should be used for extended-access-list placement:

  • Minimize distance traveled by traffic that will be denied (and ICMP unreachable messages).
  • Keep denied traffic off the backbone.
  • Select router to receive CPU overhead from access lists.
  • Consider which interfaces are affected.
  • Consider access-list management and security.
  • Consider network growth impacts on access-list maintenance.

Note: For extended access lists, place them as close to the source router as possible in order to exercise the most control.