This topic explain how to create ACLs. Start learning CCNA 200-301 for free right now!!
Note: Welcome: This topic is part of Module 4 of the Cisco CCNA 3 course, for a better follow up of the course you can go to the CCNA 3 section to guide you through an order.
Limited Number of ACLs per Interface
In a previous topic, you learned about how wildcard masks are used in ACLs. This topic will focus on the guidelines for ACL creation. There is a limit on the number of ACLs that can be applied on a router interface. For example, a dual-stacked (i.e., IPv4 and IPv6) router interface can have up to four ACLs applied, as shown in the figure.
Specifically, a router interface can have:
one outbound IPv4 ACL
one inbound IPv4 ACL
one inbound IPv6 ACL
one outbound IPv6 ACL
Assume R1 has two dual-stacked interfaces that require inbound and outbound IPv4 and IPv6 ACLs applied. As shown in the figure, R1 could have up to 8 ACLs configured and applied to interfaces. Each interface would have four ACLs; two ACLs for IPv4 and two ACLs for IPv6. For each protocol, one ACL is for inbound traffic and one for outbound traffic.
Note: ACLs do not have to be configured in both directions. The number of ACLs and their direction applied to the interface will depend on the security policy of the organization.
ACL Best Practices
Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of downtime, troubleshooting efforts, and poor network service. Basic planning is required before configuring an ACL.
The table presents guidelines that form the basis of an ACL best practices list.
Base ACLs on the organizational security policies.
This will ensure you implement organizational security guidelines.
Write out what you want the ACL to do.
This will help you avoid inadvertently creating potential access problems.
Use a text editor to create, edit, and save all of your ACLs.
This will help you create a library of reusable ACLs.
Document the ACLs using the remark command.
This will help you (and others) understand the purpose of an ACE.
Test the ACLs on a development network before implementing them on a production network.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.