Access-list location can be more of an
art than a science, but there are some general guidelines that you
can discover by looking at the example shown in the main figure.
If the policy goal is to deny host Z access to host 10.20.0.0, and not to
change any other access policy, on which router should the access
list shown in the main figure be configured and on which interface
of that router? The access list would be placed on router A. The
reason is that the standard access list can specify only the source
address. Wherever in the path the traffic is denied, no hosts beyond
can connect.
The access list could be configured as an outbound list on E0,
but it may be configured as an inbound list on E1 so that packets to
be denied would not have to be routed first.
What would be the effect of placing the access list on other
routers?
- Router B: Host Z could not connect with hosts 10.20.0.0 and W.
- Router C: Host Z could not connect with hosts 10.20.0.0, W, and X.
- Router D: Host Z could not connect with hosts 10.20.0.0, W, X, and Y.
Note: For standard access lists, place them as close to the
destination router as possible in order to exercise the most
control.