Some thoughts on ACLs, as well as some commands to review:
distribute-list <#> [ in | out] - permit or deny routing protocols from adding a network into the routes propagated
Standard ACLs: 1-99, 1300-1999
Extended ACLs: 100-199, 2000-2699
A Cisco router removes the host inverse mask (0.0.0.0) from an ACL when doing a show running-config, because anything without a mask is assumed to be a host.
Apply standard ACLs on the interface closest to the destination.
An empty ACL allows all traffic.
When working on a router or firewall remotely, start with the reload in command to reload the device autmatically in case an error is made and everyone is locked out. Then cancel the reload to remove the reload command before the timer is up if everything is working correctly:
reload in 5
reload cancel
When configuring extended ACLs, be cautious about the source port and its placement. Entering port numbers after the source IP, you only filter that source port. Leaving source port information off the ACL means to assume all source ports
Best practice is to apply extended ACLs on the interface closest to the source. This is directly contrary to the best practice for standard ACLs.
(Standard near destination, Extended near source)
Use the established keyword to allow any packets with an ACK or RST through. This is commonly applied on the Internet interface inbound to allow any sessions initiated from the LAN back through the router.
A named ACL can have a single line deleted without removing the entire ACL. One major difference is that the named list must be prepended with the ip keyword.
A Cisco router creates entries in a named ACL starting at line number 10 and incrementing by 10.
resequence allows you to move an ACL line from one number to another.
More thoughts as they come to me...
No comments:
Post a Comment