ACL Implementation Guide
If you find yourself in a situation where you need to filter traffic somewhere on your network, then knowing how to configure access control lists (ACLs) is an essential skill to have. An IP ACL can be configured on a specific interface in order to permit/deny traffic based on IP address and/or TCP/UDP port(s).
In this guide, you will learn how access control lists work, the two most commonly used ACL types and how to configure an ACL. We will also show you how to edit ACLs and discuss how they can be used for functions other than filtering IP traffic. This guide uses Cisco hardware and software in the configuration examples, although ACLs largely function the same across all enterprise network equipment.
No matter what ACL type you are configuring, there are a few rules you must first understand before trying to configure your own. The two key rules to understand are how rules follow a top-down order and use an implicit deny rule at the end of each ACL.
When configuring an ACL that has multiple entries, each entry is read in a top-down fashion. As soon as an ACL entry is matched, the device stops the matching process. Because of this, you want to make sure that your most specific access control entries are toward the top of the list so they can be matched first.
Implicit deny-all at the end of an ACL
At the end of every ACL, there is an implicit "deny-all" statement applied. So if you want to configure an ACL to block traffic from 10.0.0.0/8 and permit all other traffic, you must specify the permit entry. If you don't, the implicit deny-all at the end of the ACL will prevent any IP traffic from traversing the interface where the ACL is applied.
(Image: guitario/iStockphoto with modification)
Recommended For You
Low-Power WANs offer an alternative to 5G for connecting a fast-growing array of basic devices and sensors that transmit small amounts of data.
An effective network visibility strategy requires understanding the technical, financial, political, and legal aspects impacting your network operations.
Emerging organizational structures for IT include placement of IT pros in user areas and departments forming their own "micro IT's."
Comparing a good and bad trace helps identify performance issues. Dynamic baselining can be used when you do not have a good trace to reference.
Combining commodity server platforms and FPGA-based SmartNICs will allow network applications to operate at hundreds of gigabits of throughput with support for millions of simultaneous flows.
SD-WAN implementations are on the rise thanks to the potential cost savings, increased network resiliency, and better application performance they deliver.