Most Complete Teaching of Access Control List (ACL)
Learn about Cisco ACLs and best practices for creating and applying them. Understand the importance of order and placement for effective filtering. Ideal for network engineers.
What you’ll learn
- Standard Access Control List [ACL]
- Extended Access Control List [ACL]
- Port ACL [PACL]
- VLAN ACL [VACL]
- PACL , VACL and RACL Interaction
Cisco ACLs are characterized by single or multiple permit/deny statements. The purpose is to filter inbound or outbound packets on a selected network interface. There are a variety of ACL types that are deployed based on requirements. Only two ACLs are permitted on a Cisco interface per protocol. That would include for instance a single IP ACL applied inbound and single IP ACL applied outbound.
Cisco best practices for creating and applying ACLs
Apply extended ACL near source
Apply standard ACL near destination
Order ACL with multiple statements from most specific to least specific.
Maximum of two ACLs can be applied to a Cisco network interface.
Only one ACL can be applied inbound or outbound per interface per Layer 3 protocol.
There are some recommended best practices when creating and applying access control lists (ACL). The network administrator should apply a standard ACL closest to the destination. The standard ACL statement is comprised of a source IP address and wildcard mask. There is a common number or name that assigns multiple statements to the same ACL.
Standard ACLs are an older type and very general. As a result they can inadvertently filter traffic incorrectly. Applying the standard ACL near the destination is recommended to prevents possible over-filtering. The extended ACL should be applied closest to the source. Extended ACLs are granular (specific) and provide more filtering options. They include source address, destination address, protocols and port numbers. Applying extended ACLs nearest to the source prevents traffic that should be filtered from traversing the network. That conserves bandwidth and additional processing required at each router hop from source to destination endpoints.
Some access control lists are comprised of multiple statements. The ordering of statements is key to ACL processing. The router starts from the top (first) and cycles through all statements until a matching statement is found. The packet is dropped when no match exists. Order all ACL statements from most specific to least specific. Assigning least specific statements first will sometimes cause a false match to occur. As a result the match on the intended ACL statement never occurs.
Who this course is for:
- Network Engineers
User Reviews
Be the first to review “Most Complete Teaching of Access Control List (ACL)”
You must be logged in to post a review.
There are no reviews yet.