Cisco Access Control List Guidelines
Just a quick post to remind myself and others of the following Cisco Access Control List Guidelines that we should be aware of. I thought this would be good to post as a quick reference/lookup. This just gives a basic run down of how ACL’s should be implemented as per Cisco CCNA Security.
- Ensure the last ACE that is processed has a ‘deny any’ or ‘deny any any’
- ACLs are processed top down, as soon as as an ACE is matched the processing is stopped.
- Make sure the most specific ACEs are at the top of the list.
- One ACL per interface, per protocol, per direction.
- Any new ACE’s that are added to an ACL are added to the bottom by default, unless specified.
- Router generated traffic is not filtered by outbound ACLs
- Standard ACLs should be placed as close to the destination as possible.
- Extended ACLs should be placed as close to the source as possible.