Packet Tracer Labs

Lab 29: ACL Placement — Why Position Matters

The rule says: standard ACLs near the destination, extended near the source. This lab proves why — by placing a standard ACL wrongly and watching it over-block, then fixing it both ways. Difficulty: Intermediate+ · Time: ~30 min.

Lab objectives

  • Build a 3-router chain with LANs at each end
  • Place a standard ACL wrongly (near source) and observe collateral damage
  • Correct it to the destination end
  • Implement the same policy as an extended ACL near the source

Topology & addressing

R1(LAN-A: 192.168.1.0/24) — R2 — R3(LAN-C: 192.168.3.0/24 + server 192.168.3.10). Also a second destination LAN-D (192.168.4.0/24) on R3. Policy: block LAN-A from the server's subnet only.

Step-by-step configuration

WRONG: on R1, access-list 10 deny 192.168.1.0 0.0.0.255 + permit any, applied outbound toward R2LAN-A now loses EVERYTHING beyond R1 — including LAN-D it should still reach
RIGHT (standard): move ACL 10 to R3's LAN-C interface outboundBlocks only what policy demands; LAN-D unaffected
RIGHT (extended): on R1, deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 + permit, inbound from LAN-APrecise at the source — traffic dies before wasting WAN bandwidth

Verification

After the wrong placement: LAN-A can't reach LAN-C or LAN-D — over-blocking proven. After each correct version: LAN-C blocked, LAN-D reachable. Compare where dropped packets die (source vs destination) — that bandwidth difference is why extended-at-source is preferred when possible.

Next lab: labs hub · test yourself: CCNA practice test.

Frequently asked questions

Why do standard ACLs go near the destination?

They match only source addresses — placed early, they'd block that source from every destination beyond the ACL, not just the intended one.

Why do extended ACLs go near the source?

They identify traffic precisely (source, destination, port), so dropping it immediately saves bandwidth across the entire path.

Which approach is better for this policy?

The extended ACL at the source — same precision, but unwanted traffic never crosses the network at all.

VS
Vipul Sir — Lead Instructor, Attila Technologies20+ years in Cisco networking. Teaching CCNA, CCNP, CCIE & CyberOps in Ahmedabad since 2004.

Want hands-on training?

Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.

Start your networking career with Attila Technologies

Hands-on Cisco training, real lab devices and placement support in Ahmedabad.