General Guidelines for Creating ACLs

Access Control List (ACL) configuration is not an easy task. There may be multiple policies required to manage the type of traffic allowed to enter or exit to the interface. Suppose we have a router with two interfaces. Both interfaces configured with IPv4 and IPv6. If we required ACLs for both IPv4 and IPv6, on both interfaces and in both directions (inbound and outbound), each interface required four ACLs, one ACL for IPv4, one ACL for IPv6, one ACL for inbound traffic and one ACL for outbound traffic. These are total eight separate ACLs. ACLs do not have to be configured for both inbound and outbound directions. The number of ACLs and their direction applied to the interface generally depend on the requirements of the network. The general guidelines for using ACLs are following:

  • Use Access Control List (ACL) in routers positioned between internal network and an external network, generally in firewall router.
  • Use Access Control List (ACL) on a router positioned between two parts of your network to control traffic entering or exiting a specific part.
  • We can also configure Access Control List (ACL) on border routers, positioned at the edges of the networks.
  • Configure Access Control List (ACL) for all network protocol using on the border router interfaces.

The Three P’s

The three P’s are important in ACLs guidelines. We can configure one ACL Per protocol, Per direction, Per interface:

  • One ACL per protocol – To control traffic flow on an interface an ACL must be defined for each protocol enabled on the interface for example IP, IPX, AppleTalk.
  • One ACL per direction– ACLs can control traffic only in one direction at a time on an interface. So, two separate ACLs must configure to control inbound and outbound traffic.
  • One ACL per interface– ACLs control traffic for an interface, for example, GigabitEthernet 0/0 or FastEthernet 0/1.