Reasons to Configure ACLs
There are many reasons to configure access lists; for example, you can use access lists to restrict contents of
switching updates or to provide traffic flow control. One of the most important reasons to configure access
lists is to provide a basic level of security for your network by controlling access to it. If you do not configure
access lists on your device, all packets passing through the device could be allowed onto all parts of your
network.
An access list can allow one host to access a part of your network and prevent another host from accessing
the same area. For example, by applying an appropriate access list to interfaces of a device, Host A is allowed
to access the human resources network and Host B is prevented from accessing the human resources network.
You can use access lists on a device that is positioned between two parts of your network, to control traffic
entering or exiting a specific part of your internal network.
To provide some security benefits of access lists, you should at least configure access lists on border
devices
—
devices located at the edges of your networks. Such an access list provides a basic buffer from the
outside network or from a less controlled area of your own network into a more sensitive area of your network.
On these border devices, you should configure access lists for each network protocol configured on the device
interfaces. You can configure access lists so that inbound traffic or outbound traffic or both are filtered on an
interface.
Access lists are defined on a per-protocol basis. In other words, you should define access lists for every
protocol enabled on an interface if you want to control traffic flow for that protocol.
Software Processing of an Access List
The following general steps describe how the an access list is processed when it is applied to an interface, a
vty, or referenced by any command. These steps apply to an access list that has 13 or fewer access list entries.
•
The software receives an IP packet and tests parts of each packet being filtered against the conditions
in the access list, one condition (
permit
or
deny
statement) at a time. For example, the software tests
the source and destination addresses of the packet against the source and destination addresses in a
permit
or
deny
statement.
•
If a packet does not match an access list statement, the packet is then tested against the next statement
in the list.
•
If a packet and an access list statement match, the rest of the statements in the list are skipped and the
packet is permitted or denied as specified in the matched statement. The first entry that the packet matches
determines whether the software permits or denies the packet. That is, after the first match, no subsequent
entries are considered.
•
If the access list denies a packet, the software discards the packet and returns an Internet Control Message
Protocol (ICMP) Host Unreachable message.
•
If no conditions match, the software drops the packet. This is because each access list ends with an
unwritten, implicit
deny
statement. That is, if the packet has not been permitted by the time it was tested
against each statement, it is denied.
An access list with more than 13 entries is processed using a trie-based lookup algorithm. This process will
happen automatically; it does not need to be configured.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1163
Information About Access Control Lists
Summary of Contents for Catalyst 2960 Series
Page 96: ......
Page 196: ......
Page 250: ......
Page 292: ......
Page 488: ......
Page 589: ...P A R T VI Cisco Flexible NetFlow Configuring NetFlow Lite page 509 ...
Page 590: ......
Page 619: ...P A R T VII QoS Configuring QoS page 539 Configuring Auto QoS page 645 ...
Page 620: ......
Page 750: ......
Page 1604: ......
Page 1740: ......
Page 2105: ...P A R T XII Configuring Cisco IOS IP SLAs Configuring Cisco IP SLAs page 2025 ...
Page 2106: ......
Page 2118: ......
Page 2164: ......