Reasons To Configure Acls - Cisco Catalyst 2960 series Configuration Manual
Consolidated platform configuration guide, ios release 15.2(4)e
Hide thumbs
Also See for Catalyst 2960 series:
- Software configuration manual (980 pages) ,
- Command reference manual (800 pages) ,
- Configuration manual (120 pages)
Table of Contents
Advertisement
Reasons to Configure ACLs
There are many reasons to configure access lists; for example, you can use access lists to restrict contents of
switching updates or to provide traffic flow control. One of the most important reasons to configure access
lists is to provide a basic level of security for your network by controlling access to it. If you do not configure
access lists on your device, all packets passing through the device could be allowed onto all parts of your
network.
An access list can allow one host to access a part of your network and prevent another host from accessing
the same area. For example, by applying an appropriate access list to interfaces of a device, Host A is allowed
to access the human resources network and Host B is prevented from accessing the human resources network.
You can use access lists on a device that is positioned between two parts of your network, to control traffic
entering or exiting a specific part of your internal network.
To provide some security benefits of access lists, you should at least configure access lists on border
devices—devices located at the edges of your networks. Such an access list provides a basic buffer from the
outside network or from a less controlled area of your own network into a more sensitive area of your network.
On these border devices, you should configure access lists for each network protocol configured on the device
interfaces. You can configure access lists so that inbound traffic or outbound traffic or both are filtered on an
interface.
Access lists are defined on a per-protocol basis. In other words, you should define access lists for every
protocol enabled on an interface if you want to control traffic flow for that protocol.
Software Processing of an Access List
The following general steps describe how the an access list is processed when it is applied to an interface, a
vty, or referenced by any command. These steps apply to an access list that has 13 or fewer access list entries.
• The software receives an IP packet and tests parts of each packet being filtered against the conditions
in the access list, one condition (permit or deny statement) at a time. For example, the software tests
the source and destination addresses of the packet against the source and destination addresses in a
permit or denystatement.
• If a packet does not match an access list statement, the packet is then tested against the next statement
in the list.
• If a packet and an access list statement match, the rest of the statements in the list are skipped and the
packet is permitted or denied as specified in the matched statement. The first entry that the packet matches
determines whether the software permits or denies the packet. That is, after the first match, no subsequent
entries are considered.
• If the access list denies a packet, the software discards the packet and returns an Internet Control Message
Protocol (ICMP) Host Unreachable message.
• If no conditions match, the software drops the packet. This is because each access list ends with an
unwritten, implicit deny statement. That is, if the packet has not been permitted by the time it was tested
against each statement, it is denied.
An access list with more than 13 entries is processed using a trie-based lookup algorithm. This process will
happen automatically; it does not need to be configured.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
Information About Access Control Lists
1163
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
