10.2 Configuring IP Standard Access Lists
10.2.8 Location of standard access lists
Access-list location can be more of an art than a science, but there are some general guidelines that you can discover by looking at the example shown in the main figure.

If the policy goal is to deny host Z access to host 10.20.0.0, and not to change any other access policy, on which router should the access list shown in the main figure be configured and on which interface of that router? The access list would be placed on router A. The reason is that the standard access list can specify only the source address. Wherever in the path the traffic is denied, no hosts beyond can connect.

The access list could be configured as an outbound list on E0, but it may be configured as an inbound list on E1 so that packets to be denied would not have to be routed first.

What would be the effect of placing the access list on other routers?

  • Router B: Host Z could not connect with hosts 10.20.0.0 and W.
  • Router C: Host Z could not connect with hosts 10.20.0.0, W, and X.
  • Router D: Host Z could not connect with hosts 10.20.0.0, W, X, and Y.

Note: For standard access lists, place them as close to the destination router as possible in order to exercise the most control.