Every ACL should be placed where it has the greatest impact on efficiency. Improper implementation causes network slow and inefficient but, proper implementation of an ACL can make the network more efficient because of reducing an unnecessary traffic from the network. For example, traffic that will be denied at a remote destination should be dropped and not be; forwarded to remote using network resources along the route to that destination.
Extended ACLs Placement
Standard ACLs not specify any destination addresses; therefore we place standard ACLs close to the destination as much possible. Implementing a standard ACL closest to the source of the traffic will effectively prevent; that traffic from reaching any other networks through the interface where the ACL is applied.
We know that standard ACL only filter traffic based on a source address. The basic rule of standard ACL need placement possibly close to the destination network. This allows the traffic to arrive at all other networks except the network where the packets will be filtered. In the figure below, we wants to prevent traffic from 192.168.2.0/24 network from reaching the 192.168.4.0/24 network.
If we place the standard ACL on the inbound interface of Router0; this would stop traffic of 192.168.2.0/24 network from reaching any other network. If we place ACL on outbound interface towards Router1; this would stop 192.168.2.0/24 traffic from reaching any network of Router1. If we place the ACL on inbound or outbound interface of Router; this will also prevent traffic of 192.168.2.0/24 network to reach any network of Router1 and Router2. If we place the ACL inbound on interface Fa1/0 of Router2, this will also stop all traffic of 192.168.2.0 network to reach any network of Router2.
So the best place to place the ACL is Eth 1/0 interface of Router1. This is the closest interface towards destination. Therefore we would apply standard ACL on interface Ethernet 1/0 outbound. This will prevent traffic from 192.168.2.0/24 from entering the Ethernet 1/0 interface from reaching 192.168.4.0/24 and all other networks reachable to 192.168.4.0/24 network.
Standard ACLs Placement
The extended ACL can filter traffic based on the source address as well as based on the destination address, protocol type, and port number. Extended ACL give more flexibility in the type of traffic we want to filter and where to place the ACL. The basic rule for placing an extended ACL is to place it possibly close to the source of the traffic. Extended ACL filter unnecessary traffic from being sent across multiple networks.
The network administrator place extended ACL on devices that they can control easily. In the figure, the administrator wants to control FTP and telnet traffic from 192.168.1.0/24 and 192168.2.0/24 networks. At the same time, all other traffic from the both network must be permitted to leave Router3 without any restriction.
So there are a number of ways to accomplish these goals. We can configure extended ACL inbound to Router3 Fa0/0 and Fa0/1 networks. But this is not a best practice because we should configure an extended ACL inbound for both ACLs. A best practice is to place an extended ACL on Router3 interface Fa0/1 outbound. The extended ACL specifies both source and destination addresses, and enforces the rule, “Telnet and FTP traffic from the 192.168.1.0/24 and 192.168.2.0/24 network is not allowed to go to the 192.168.3.0/24 network.
The above type of ACL may also depend on following:
- Ease of configuration– If a we wants to deny traffic coming from several networks, The first option is to use a single standard ACL on the closest to the destination. But main disadvantage of this ACL is the use of bandwidth unnecessarily. So, we can configure extended ACL on each router source router. This will save bandwidth by filtering the traffic at the source but this requires creating extended ACLs on several routers.
- The extent of the network administrator’s control– Placement of the ACL also depend on the network administrator. He can control both the source and destination networks using an ACLs.
- Bandwidth of the networks – Filtering unwanted traffic at the source prevents consumption of the bandwidth. This is important in low bandwidth networks.
Access Control List (ACL) configuration is not an easy task. There may be multiple policies required to manage the type of traffic allowed to enter or exit to the interface. Suppose we have a router with two interfaces. Both interfaces configured with IPv4 and IPv6. If we required ACLs for both IPv4 and IPv6, on […]
Wildcard Mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match. We use wildcard mask in several places, for example: To indicate the size of a network or subnet for some routing protocols, such as OSPF. The IPv6 ACLs uses prefix-length […]
There are many different ACLs types for example, access control lists for IP version 4, for IP version 6, for IPX, for DECnet, AppleTalk , etc . In this lesson we are going to discuss IP version 4 ACLs for Cisco. IP version 4 access control lists has two different IPv4 ACLs types, standard access […]
As I discuss the Access Control List (ACLs) in my previous articles that it is a technique used for monitoring outgoing traffic as well as incoming traffic and allowing them to pass or deny based on the source IP address, destination IP addresses, service protocols and ports. The rules give control for packets that enter […]
ACL is a technique used to monitoring outgoing and incoming packets and allowing them to pass or halt based on the source and destination IP addresses protocols and ports. Packet filtering is also known as static filtering. We can configure a filter rule on network and then the router acts as a packet filter during […]
TCP conversation is an important part of network traffic. So, before discussing ACLs in detail it is important to discuss TCP conversation. The ACLs control traffic into and out of the network. The traffic control can be simple or complex. The simple traffic control only permitting or denying network traffic based on network address and […]
An Access Control List (ACL) refer to a set of rules usually used to filter network traffic. The rules specify which users are granted access to that object and the operations it is allowed to perform. We can configure ACL on network devices with packet filtering compatibilities, such as routers and firewalls. An Access Control List (ACL) […]
OSPFv3 routing protocol is more complicated then OSPFv2 routing protocols, So to verify OSPFv3 and troubleshooting is not an easy task. There are several commands we can use to verify and troubleshoot an OSPF configuration and operation:- Verify OSPFv3 Neighbors We can use “show ipv6 ospf neighbor” command to verify that the router adjacency with […]