Some access control lists are comprised of multiple statements. That conserves bandwidth and additional processing required at each router hop from source to destination endpoints. Applying extended ACLs nearest to the source prevents traffic that should be filtered from traversing the network. They include source address, destination address, protocols and port numbers. Extended ACLs are granular (specific) and provide more filtering options. The extended ACL should be applied closest to the source. Applying the standard ACL near the destination is recommended to prevents possible over-filtering. As a result they can inadvertently filter traffic incorrectly. Standard ACLs are an older type and very general. There is a common number or name that assigns multiple statements to the same ACL. The standard ACL statement is comprised of a source IP address and wildcard mask. The network administrator should apply a standard ACL closest to the destination. There are some recommended best practices when creating and applying access control lists (ACL). Only one ACL can be applied inbound or outbound per interface per Layer 3 protocol.Maximum of two ACLs can be applied to a Cisco network interface.Order ACL with multiple statements from most specific to least specific.That would include for instance a single IP ACL applied inbound and single IP ACL applied outbound.Ĭisco best practices for creating and applying ACLs Only two ACLs are permitted on a Cisco interface per protocol. There are a variety of ACL types that are deployed based on requirements.
The purpose is to filter inbound or outbound packets on a selected network interface. Cisco ACLs are characterized by single or multiple permit/deny statements.