This section covers design issues with ACLs: where you should place ACLs of a given type (standard or extended). In other words, given the source and destination that you are filtering, on what router and what interface on that router should you activate your ACL? This section covers some of the important points you should be aware of when determining where to put your ACLs. First, don't go crazy with ACLs and create dozens and dozens of them across all of your routers. This makes testing and troubleshooting your filtering rules almost impossible. If you have followed Cisco’s three-layer hierarchy—core, distribution, and access—you’ll want to put your ACLs on your distribution layer routers. The second point to make is that you will want to limit the number of statements in your ACL. An ACL with hundreds of statements is almost impossible to test and troubleshoot. As an example, I had a student in one of the router classes I taught who had a question on an ACL they used at their site—it was six pages long! After I sat with this student, we were able to reduce this to about a page and a half. The original ACL had a lot of unnecessary and overlapping commands that we removed or changed. As to where you should place your ACLs, the following two rules hold true in most situations: ¦ Standard ACLs should be placed as close to the destination devices as possible. ¦ Extended ACLs should be placed as close to the source devices as possible. No database selected