Guidelines for ACL Creation

Guidelines for ACL Creation

Guidelines for ACL Creation


This topic explain how to create ACLs. Start learning CCNA 200-301 for free right now!!

Note: Welcome: This topic is part of Module 4 of the Cisco CCNA 3 course, for a better follow up of the course you can go to the CCNA 3 section to guide you through an order.

Limited Number of ACLs per Interface

In a previous topic, you learned about how wildcard masks are used in ACLs. This topic will focus on the guidelines for ACL creation. There is a limit on the number of ACLs that can be applied on a router interface. For example, a dual-stacked (i.e., IPv4 and IPv6) router interface can have up to four ACLs applied, as shown in the figure.

Specifically, a router interface can have:

  • one outbound IPv4 ACL
  • one inbound IPv4 ACL
  • one inbound IPv6 ACL
  • one outbound IPv6 ACL
outbound & inbound IPv4
Outbound & Inbound IPv4

Assume R1 has two dual-stacked interfaces that require inbound and outbound IPv4 and IPv6 ACLs applied. As shown in the figure, R1 could have up to 8 ACLs configured and applied to interfaces. Each interface would have four ACLs; two ACLs for IPv4 and two ACLs for IPv6. For each protocol, one ACL is for inbound traffic and one for outbound traffic.

Note: ACLs do not have to be configured in both directions. The number of ACLs and their direction applied to the interface will depend on the security policy of the organization.

Limited Number of ACLs
Limited Number of ACLs

ACL Best Practices

Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of downtime, troubleshooting efforts, and poor network service. Basic planning is required before configuring an ACL.

The table presents guidelines that form the basis of an ACL best practices list.

Guideline Benefit
Base ACLs on the organizational security policies. This will ensure you implement organizational security guidelines.
Write out what you want the ACL to do. This will help you avoid inadvertently creating potential access problems.
Use a text editor to create, edit, and save all of your ACLs. This will help you create a library of reusable ACLs.
Document the ACLs using the remark command. This will help you (and others) understand the purpose of an ACE.
Test the ACLs on a development network before implementing them on a production network. This will help you avoid costly errors.

Glossary: If you have doubts about any special term, you can consult this computer network dictionary.

Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.

More Goodies
Software-Defined Networking CCNA
Software-Defined Networking