ACLs can be used not only for packet ?¬?ltering but also for selecting speci?¬?c types of
traf?¬?c for analysis. The following is a list of tips to consider when using ACLs:
??? If you want to deny or permit the entire IP protocol stack, use a standard ACL. If you
want to deny or permit only part of the stack??”only open up a single port, for
example??”use an extended ACL.
??? Standard ACLs use numbers 1 to 99 and 1300 to 1999. Extended ACLs use numbers
100 to 100 and 2000 to 2699. If you are using names for your ACLs, the names cannot
contain spaces or punctuation, and must begin with an alphabetic character.
??? ACLs applied in an inbound direction apply to packets that are received on the router
interface and are trying to travel into or through the router to a different exit interface.
ACLs applied in an outbound direction apply to packets that are trying to leave the
router through an exit interface.
??? Disable unused services, ports, or protocols. If no one needs them, turn them off. If
someone needs access to them, use an ACL.
??? You can have only one ACL per interface, per direction, per protocol. Therefore,
combine your requirements into a single ACL.
??? All Cisco ACLs end with the implicit deny statement that denies everything.
Pages:
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96