There are two basic steps in configuring an ACL:
Step 1. | Create an ACL. |
Step 2. | Apply an ACL list to an interface. |
These are explained further in the sections that follow.
The first step in the configuration process is to create an ACL for each protocol to be filtered, per interface. For some protocols, one ACL can be created to filter inbound traffic and another to filter outbound traffic.
To create an ACL, specify the protocol to be filtered by assigning a unique name or number to the ACL and defining the filtering criteria. Each individual filtering rule that is part of an ACL is called an access control entry (ACE). A single ACL can have multiple ACEs, and a group of ACEs forms an ACL.
Each ACL must be uniquely identified by using either a name or a number. A device could have several ACLs configured; therefore, the device must have a way to distinguish one ACL from another. Assigning a name or a number to an ACL serves this objective along with binding the ACL entries together. The ACL name or number also tells the device which type of ACL it is. (Various ACL types are discussed later in this chapter.)
Tables 2-5 and 2-6 show a list of protocols that can be defined using either the named or numbered ACL. The table also lists the range of ACL numbers that is valid for each protocol.
Protocol |
---|
Apollo Domain |
IP |
IPX |
ISO CLNS |
Network BIOS |
Source-route bridging network |
Protocol | Range |
---|---|
IP Standard | 1 to 99 and 1300 to 1999 |
IP Extended | 100 to 199 and 2000 to 2699 |
Protocol type-code | 200 to 299 |
48-bit MAC address ACL | 700 to 799 |
Extended 48-bit MAC address ACL | 1100 to 1199 |
Examples for creating an ACL are shown later under each type of ACL.
The second step of the configuration process involves applying the ACL to an interface. ACLs can be defined without applying them to an interface on a device. However, the ACL will have no effect until it is applied to the device's interface. ACLs can also be used for various other services in addition to applying to interfaces, such as in route-map, SNMP, or traffic-classification techniques.
ACLs can be applied on various interfaces and devices in a network, but you should consider a number of intricate factors before deciding where to apply them. Figure 2-2 shows a requirement that is blocking traffic that is entering the network from Router A from reaching the source Host A to destination Host B. When deciding where to apply an ACL, such as that shown in Figure 2-2, consider the following:
When using a standard ACL, apply the ACL filter closest to the destination Router C within the traffic flow. This is recommended because standard ACL filter packets, which are based on the source address only, are dropped closer to the ingress point Router A. A potential danger exists in blocking Host A entirely for all other traffic—for example, Host C or Host D in the network. Hence, applying the ACL on Router C is more appropriate than on Router A or Router B.
When using an extended ACL, apply the ACL filter closest to the source Router A ingress point into the network. This is recommended because with extended ACL, filter packets are based on the source/destination IP address and source/destination ports, and so on, and are much more granular in nature than standard ACL. Therefore, dropping the packet closer to the ingress point into the network is more appropriate. Although dropping the packet closer to the destination will achieve the same result, it will cause unnecessary resource consumption on the traversing routers. The packet is traversing the entire network, chewing up resources and eventually being dropped at the destination Router C. Hence it is best to drop the packet closer to the source (ingress) within the network by applying the ACL on Router A instead of Router B or Router C.
For some protocols, up to two ACLs can be applied to an interface: one inbound ACL and one outbound ACL. With other protocols, only one ACL is allowed, and this list checks both inbound and outbound packets.
Note
Outbound ACLs that are applied to router interfaces do not filter traffic that originates from the router.
The terms in, out, source, and destination are used as referenced by the device in the context of the flow of the traffic. As an analogy, traffic on the router can be compared to a passenger flying from Sydney to San Francisco. If the immigration department wants to stop this passenger traveling from Sydney (source) to San Francisco (destination), there are two possibilities for interception:
The passenger could be stopped at the Sydney airport at the immigration control (out) departing outbound.
The passenger could be stopped at the San Francisco airport at the immigration control (in) arriving inbound.
When referring to a device where an ACL is applied, these terms are defined as follows:
Out: Traffic that has already been processed through the router and is exiting the router interface (also called egress traffic). The source is where the traffic originated (on the other side of the router), and the destination is where it is going (beyond this router).
In: Traffic that arrives on the router interface (also called ingress traffic) and will be processed by the router for its destination traversing through this router. The source is where it has arrived from (before this router), and the destination is where it is going (on the other side of the router).