Table of Contents
Advertisement
Configuring Network Security with ACLs
Information About Network Security with ACLs
Consider these guidelines and limitations before configuring named ACLs:
Not all commands that accept a numbered ACL accept a named ACL. ACLs for packet filters and route filters on
interfaces can use a name.
A standard ACL and an extended ACL cannot have the same name.
Numbered ACLs are also available, as described in the
When you are creating standard extended ACLs, remember that, by default, the end of the ACL contains an implicit deny
statement for everything if it did not find a match before reaching the end. For standard ACLs, if you omit the mask from
an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask.
After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL entries to a
specific ACL. However, you can use no permit and no deny access-list configuration mode commands to remove entries
from a named ACL. This example shows how you can delete individual ACEs from the named access list border-list:
Switch(config)# ip access-list extended border-list
Switch(config-ext-nacl)# no permit ip host 10.1.1.3 any
Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered
ACLs.
Time Ranges with ACLs
You can selectively apply extended ACLs based on the time of day and the week by using the time-range global
configuration command. First, define a time-range name and set the times and the dates or the days of the week in the
time range. Then enter the time-range name when applying an ACL to set restrictions to the access list. You can use the
time range to define when the permit or deny statements in the ACL are in effect, for example, during a specified time
period or on specified days of the week.
These are some of the many possible benefits of using time ranges:
You have more control over permitting or denying a user access to resources, such as an application (identified by
an IP address/mask pair and a port number).
You can control logging messages. ACL entries can be set to log traffic only at certain times of the day. Therefore,
you can simply deny access without needing to analyze many logs generated during peak hours.
Time-based access lists trigger CPU activity because the new configuration of the access list must be merged with other
features and the combined configuration loaded into the TCAM. For this reason, you should be careful not to have several
access lists configured to take affect in close succession (within a small number of minutes of each other.)
Note:
The time range relies on the switch system clock; therefore, you need a reliable clock source. We recommend that
you use Network Time Protocol (NTP) to synchronize the switch clock.
Comments in ACLs
You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The
remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark
so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have
some remarks before the associated permit or deny statements and some remarks after the associated statements.
To include a comment for IP numbered standard or extended ACLs, use the access-list access-list number remark
remark global configuration command. To remove the remark, use the no form of this command.
Creating a Numbered Standard ACL, page
551
554.
- Quick Links:
- Configuration Overview
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
