Previous Page Next Page

ACL Configuration

There are two basic steps in configuring an ACL:

Step 1.
Create an ACL.

Step 2.
Apply an ACL list to an interface.

These are explained further in the sections that follow.

Creating an ACL

The first step in the configuration process is to create an ACL for each protocol to be filtered, per interface. For some protocols, one ACL can be created to filter inbound traffic and another to filter outbound traffic.

To create an ACL, specify the protocol to be filtered by assigning a unique name or number to the ACL and defining the filtering criteria. Each individual filtering rule that is part of an ACL is called an access control entry (ACE). A single ACL can have multiple ACEs, and a group of ACEs forms an ACL.

Assigning a Unique Name or Number to Each ACL

Each ACL must be uniquely identified by using either a name or a number. A device could have several ACLs configured; therefore, the device must have a way to distinguish one ACL from another. Assigning a name or a number to an ACL serves this objective along with binding the ACL entries together. The ACL name or number also tells the device which type of ACL it is. (Various ACL types are discussed later in this chapter.)

Tables 2-5 and 2-6 show a list of protocols that can be defined using either the named or numbered ACL. The table also lists the range of ACL numbers that is valid for each protocol.

Table 2-5. Protocols with ACL Specified by Name
Protocol
Apollo Domain
IP
IPX
ISO CLNS
Network BIOS
Source-route bridging network


Table 2-6. Protocols with ACL Specified by Number
ProtocolRange
IP Standard1 to 99 and 1300 to 1999
IP Extended100 to 199 and 2000 to 2699
Protocol type-code200 to 299
48-bit MAC address ACL700 to 799
Extended 48-bit MAC address ACL1100 to 1199


Examples for creating an ACL are shown later under each type of ACL.

Applying an ACL to an Interface

The second step of the configuration process involves applying the ACL to an interface. ACLs can be defined without applying them to an interface on a device. However, the ACL will have no effect until it is applied to the device's interface. ACLs can also be used for various other services in addition to applying to interfaces, such as in route-map, SNMP, or traffic-classification techniques.

ACLs can be applied on various interfaces and devices in a network, but you should consider a number of intricate factors before deciding where to apply them. Figure 2-2 shows a requirement that is blocking traffic that is entering the network from Router A from reaching the source Host A to destination Host B. When deciding where to apply an ACL, such as that shown in Figure 2-2, consider the following:

Figure 2-2. Where to Apply ACL—Considerations


For some protocols, up to two ACLs can be applied to an interface: one inbound ACL and one outbound ACL. With other protocols, only one ACL is allowed, and this list checks both inbound and outbound packets.

Note

Outbound ACLs that are applied to router interfaces do not filter traffic that originates from the router.


Direction of the ACL

The terms in, out, source, and destination are used as referenced by the device in the context of the flow of the traffic. As an analogy, traffic on the router can be compared to a passenger flying from Sydney to San Francisco. If the immigration department wants to stop this passenger traveling from Sydney (source) to San Francisco (destination), there are two possibilities for interception:

When referring to a device where an ACL is applied, these terms are defined as follows:

Previous Page Next Page