请cisco ccna的高手指点

NEWGAY

我总想不明白ACL 应该放在那里。

资料上就泛泛的说
An access lists can act as a firewall. A firewall filters packets and eliminates unwanted traffic at a destination. Where the administrator places an access list statement can reduce unnecessary traffic. Traffic that will be denied at a remote destination should not use network resources along the route to that destination.
• Place standard access lists close to the destination
• Place extended access lists close to the source

找不到感觉。那位指点一下。

chxu3549

共同探讨
standard access lists only block ip address,so it is better put it near the destination which will allows the blocked ip address access other routers or applications,

extended access lists also block protocol, it is better to block it near the source which will save bandwidth,

conty

基本ACL尽量靠近目的地址
扩展ACL尽量靠近源地址

这是我当年看CCNA的时候留下的一些印象。

熊猫阿三

标准ACL只检查数据包的源地址; 扩展ACL既检查数据包的源地址，也检查数据包的目的地址，同时还可以检查数据包的特定协议类型、端口号等。
标准ACL好比粗心的看门人，只看你是哪里来的，而不管你去做什么。为了避免误杀，最好放在最靠近目的端。
而扩展ACL因为比较精确，所以越放在前面越能挡住无效的流量。