Every ACL should be placed where it has the greatest impact on efficiency. Improper implementation causes network slow and inefficient but, proper implementation of an ACL can make the network more efficient because of reducing unnecessary traffic from the network. For example, traffic that will be denied at a remote destination should be dropped and not be; forwarded to remote using network resources along the route to that destination.
Standard ACLs Placement
Standard ACLs do not specify any destination addresses; therefore we place standard ACLs close to the destination as much possible. Implementing a standard ACL closest to the source of the traffic will effectively prevent; that traffic from reaching any other networks through the interface where the ACL is applied.
We know that standard ACL only filter traffic based on a source address. The basic rule of standard ACL needs placement possibly close to the destination network. This allows the traffic to arrive at all other networks except the network where the packets will be filtered. In the figure below, we want to prevent traffic from 192.168.2.0/24 network from reaching the 192.168.4.0/24 network.
If we place the standard ACL on the inbound interface of Router0; this would stop the traffic of the 192.168.2.0/24 network from reaching any other network. If we place ACL on the outbound interface towards Router1; this would stop 192.168.2.0/24 traffic from reaching any network of Router1. If we place the ACL on the inbound or outbound interface of Router; this will also prevent traffic of the 192.168.2.0/24 network to reach any network of Router1 and Router2. If we place the ACL inbound on interface Fa1/0 of Router2, this will also stop all traffic of 192.168.2.0 network to reach any network of Router2.
So the best place to place the ACL is Eth 1/0 interface of Router1. This is the closest interface towards the destination. Therefore we would apply standard ACL on interface Ethernet 1/0 outbound. This will prevent traffic from 192.168.2.0/24 from entering the Ethernet 1/0 interface from reaching 192.168.4.0/24 and all other networks reachable to 192.168.4.0/24 network.
Extended ACLs Placement
The extended ACL can filter traffic based on the source address as well as based on the destination address, protocol type, and port number. Extended ACL gives more flexibility in the type of traffic we want to filter and where to place the ACL. The basic rule for placing an extended ACL is to place it possibly close to the source of the traffic. Extended ACL filter unnecessary traffic from being sent across multiple networks.
The network administrator place extended ACL on devices that they can control easily. In the figure, the administrator wants to control FTP and telnet traffic from 192.168.1.0/24 and 192168.2.0/24 networks. At the same time, all other traffic from both networks must be permitted to leave Router3 without any restriction.
So there are several ways to accomplish these goals. We can configure extended ACL inbound to Router3 Fa0/0 and Fa0/1 networks. But this is not a best practice because we should configure an extended ACL inbound for both ACLs. A best practice is to place an extended ACL on Router3 interface Fa0/1 outbound. The extended ACL specifies both source and destination addresses and enforces the rule, “Telnet and FTP traffic from the 192.168.1.0/24 and 192.168.2.0/24 network is not allowed to go to the 192.168.3.0/24 network.
The above type of ACL may also depend on the following:
- Ease of configuration– If we want to deny traffic coming from several networks, The first option is to use a single standard ACL on the closest to the destination. But the main disadvantage of this ACL is the use of bandwidth unnecessarily. So, we can configure an extended ACL on each router source router. This will save bandwidth by filtering the traffic at the source but this requires creating extended ACLs on several routers.
- The extent of the network administrator’s control– Placement of the ACL also depend on the network administrator. He can control both the source and destination networks using an ACLs.
- The bandwidth of the networks – Filtering unwanted traffic at the source prevents consumption of the bandwidth. This is important in low bandwidth networks.
- Entering Criteria Statements. Then router receives traffic, the traffic is compared to all the access control entries in the order that the entries listed. The router continues comparing the access control entries until it finds the first match. The router will process the packet based on the first match found and it will terminate comparing more access control entries. If no matches are found in the access control entries and the router reaches the end of the list, the traffic is denied. This is because, by default, there is an implied deny at the end of all access control lists for traffic that was not matched to a configured entry. A single-entry access control list with only one denies entry has the effect of denying all traffic. So, one permit entry must be configured in an access control list.