IPv4 Access Control Lists (ACLs)
Planning an ACL Application
■ What are the logical points for minimizing unwanted traffic, and what
ACL application(s) should be used? In many cases it makes sense to
prevent unwanted traffic from reaching the core of your network by
configuring ACLs to drop the unwanted traffic at or close to the edge
of the network. (The earlier in the network path you can block
unwanted traffic, the greater the benefit for network performance.)
■ From where is the traffic coming? The source and destination of
traffic you want to filter determines the ACL application to use (static
port ACL, and dynamic port ACL).
■ What traffic should you explicitly block? Depending on your network
size and the access requirements of individual hosts, this can involve
creating a large number of ACEs in a given ACL (or a large number of
ACLs), which increases the complexity of your solution.
■ What traffic can you implicitly block by taking advantage of the
implicit deny ip any to deny traffic that you have not explicitly
permitted? This can reduce the number of entries needed in an ACL.
■ What traffic should you permit? In some cases you will need to
explicitly identify permitted traffic. In other cases, depending on your
policies, you can insert an ACE with “permit any” forwarding at the
end of an ACL. This means that all IPv4 traffic not specifically
matched by earlier entries in the list will be permitted.
Security
ACLs can enhance security by blocking traffic carrying an unauthorized
source IPv4 address (SA). This can include:
■ blocking access from specific devices or interfaces
■ blocking access to or from subnets in your network
■ blocking access to or from the internet
■ blocking access to sensitive data storage or restricted equipment
■ preventing specific IP, TCP, UDP, IGMP, and ICMP traffic types,
including unauthorized access using functions such as Telnet, SSH,
and web browser
You can also enhance switch management security by using ACLs to block
IPv4 traffic that has the switch itself as the destination address (DA).
9-25
To Next Page
Loading...
Need help?
General
