Solved: Position of ACL at Router or Switch in Campus LAN Network

nishprit · ‎11-28-2025

Dear Friends

I am designing and configuring a Campus LAN Network for my self study. The diagram of Campus Network is attached. My query is where should I configure ACLs to block VLAN40 from accessing Server1 (S1). I have implemented SVI for inter-VLAN routing at both the L3 Switch at Distribution Layer. Furhter I have also configured HSRP at both the Distribution Switches and doing load balancing (DLSW1 for VLAN 10 and 20 and DLSW2 for VLAN 30 and 40). I am in doubt whether I should configure ACLs at both the Distribution layer and wheter all ACL config should be same on both Distribution Layer Switches ?? . Please guide.

Giuseppe Larosa · ‎11-28-2025

Hello @nishprit ,

>> I am in doubt whether I should configure ACLs at both the Distribution layer and wheter all ACL config should be same on both Distribution Layer Switches ?

yes the ACL should be applied on both Distribution switches, because you have both on the same set of VLANs/subnets, for example on SVI vlan 40 direction inbound and the ACL is the same.

Example:

Assuming S1 IP is 10.10.10.101 and that vlan 40 subnet is 10.10.40.0/24 the ACL can be:

access-list 101 deny ip 10.10.40.0 0.0.0.255 host 10.10.10.101

access-list 101 permit ip 10.10.40.0 0.0.0.255 any

int vlan 40

access-group 101 in

Hope to help

Giuseppe

View solution in original post

balaji.bandi · ‎11-28-2025

The position of an Access Control List (ACL) in a Campus LAN depends on the specific security goal, the type of ACL, and whether you are using a router or a Layer 3 switch as the default gateway.

In modern campus networks, both routers and Layer 3 switches are used to implement ACLs, but the guiding principle remains: Filter unwanted traffic as early as possible.

we have not seen the diagram yet on the post - based on the information post that is best i can suggest so far

some official reference :

https://www.ciscopress.com/articles/article.asp?p=3089353&seqNum=7

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joseph W. Doherty · ‎11-28-2025

Don't see an attachment.

What @balaji.bandi stated, "Filter unwanted traffic as early as possible." is for efficiency. I.e. it avoids forwarding traffic that is going to be dropped.

However, perhaps another guiding principle would be to place an ACL where it's as convenient as possible.

For example, say I have a chassis edge switch with several hundred ports, and I want to prohibit all those ports from accessing some, distant, destination. I could apply an ACL on all the edge ports (for efficiency) or apply an ACL on the uplink port (for convenience). (Possibly another example, I could apply an ACL on all LAN ports or an ACL on a WAN port.)

Also for efficiency, you might apply an ACL on both end ports or, for convenience, a single ACL, applied both for ingress and egress, at a shared transit port.

Which approach to choose? It's an it depends kind of answer. It the traffic to be blocked would consume a major portion of our bandwidth, you normally want to block it ASAP. But if just a couple of small packets, like a TCP connection setup, convenience is convenient. ; )

Joseph W. Doherty · ‎11-28-2025

Oh, I might add, a Firewall is often an example of placing filtering at a shared transit location. Of course, one could correctly say FWs can do much more than ordinary ACLs, but routers and some edge hosts, can, with additional software, support many, if not all, FW capabilities, and it would be more efficient, but generally, other factors make it "better" to use a FW.

Giuseppe Larosa · ‎11-28-2025