Lab 29: ACL Placement — Why Position Matters
The rule says: standard ACLs near the destination, extended near the source. This lab proves why — by placing a standard ACL wrongly and watching it over-block, then fixing it both ways. Difficulty: Intermediate+ · Time: ~30 min.
Lab objectives
- Build a 3-router chain with LANs at each end
- Place a standard ACL wrongly (near source) and observe collateral damage
- Correct it to the destination end
- Implement the same policy as an extended ACL near the source
Topology & addressing
R1(LAN-A: 192.168.1.0/24) — R2 — R3(LAN-C: 192.168.3.0/24 + server 192.168.3.10). Also a second destination LAN-D (192.168.4.0/24) on R3. Policy: block LAN-A from the server's subnet only.
Step-by-step configuration
WRONG: on R1, access-list 10 deny 192.168.1.0 0.0.0.255 + permit any, applied outbound toward R2 | LAN-A now loses EVERYTHING beyond R1 — including LAN-D it should still reach |
| RIGHT (standard): move ACL 10 to R3's LAN-C interface outbound | Blocks only what policy demands; LAN-D unaffected |
RIGHT (extended): on R1, deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 + permit, inbound from LAN-A | Precise at the source — traffic dies before wasting WAN bandwidth |
Verification
After the wrong placement: LAN-A can't reach LAN-C or LAN-D — over-blocking proven. After each correct version: LAN-C blocked, LAN-D reachable. Compare where dropped packets die (source vs destination) — that bandwidth difference is why extended-at-source is preferred when possible.
Next lab: labs hub · test yourself: CCNA practice test.
Frequently asked questions
Why do standard ACLs go near the destination?
They match only source addresses — placed early, they'd block that source from every destination beyond the ACL, not just the intended one.
Why do extended ACLs go near the source?
They identify traffic precisely (source, destination, port), so dropping it immediately saves bandwidth across the entire path.
Which approach is better for this policy?
The extended ACL at the source — same precision, but unwanted traffic never crosses the network at all.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.