Anytime a nondefault wildcard mask (or subnet mask) is applied to an address class, it is classless addressing. Classful wildcard masks are based on the default mask for a specific address class. There are classful and classless subnet masks along with associated wildcard masks. That could include hosts, subnets or multiple subnets. ACL wildcards are configured to filter (permit/deny) based on an address range. Each subnet has a range of host IP addresses that are assignable to network interfaces. The wildcard 0.0.0.0 is used to match a single IP address. The additional bits are set to 1 as no match required. The wildcard mask is an inverted mask where the matching IP address or range is based on 0 bits.
Cisco access control lists (ACL) filter based on the IP address range configured from a wildcard mask. The wildcard mask is a technique for matching specific IP address or range of IP addresses. The remote user sign-on is available with a configured username and password. In addition there is a timeout value that limits the amount of time for network access. The ACL configured defines the type of access permitted and the source IP address. The dynamic ACL provides temporary access to the network for a remote user. The first ACL statement is more specific than the second ACL statement.Īccess-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.10.64.1 eq 23
In addition, application protocols or port numbers are also specified. That configures specific subnets to match. The more specific ACL statement is characterized by source and destination address with shorter wildcard masks (more zeros). As a result the match on the intended ACL statement never occurs. Assigning least specific statements first will sometimes cause a false match to occur. Order all ACL statements from most specific to least specific. The packet is dropped when no match exists. The router starts from the top (first) and cycles through all statements until a matching statement is found. The ordering of statements is key to ACL processing. Some access control lists are comprised of multiple statements. That conserves bandwidth and additional processing required at each router hop from source to destination endpoints. Applying extended ACLs nearest to the source prevents traffic that should be filtered from traversing the network. They include source address, destination address, protocols and port numbers. Extended ACLs are granular (specific) and provide more filtering options. The extended ACL should be applied closest to the source. Applying the standard ACL near the destination is recommended to prevents possible over-filtering. As a result they can inadvertently filter traffic incorrectly. Standard ACLs are an older type and very general. There is a common number or name that assigns multiple statements to the same ACL. The standard ACL statement is comprised of a source IP address and wildcard mask. The network administrator should apply a standard ACL closest to the destination. There are some recommended best practices when creating and applying access control lists (ACL). Only one ACL can be applied inbound or outbound per interface per Layer 3 protocol.Maximum of two ACLs can be applied to a Cisco network interface.Order ACL with multiple statements from most specific to least specific.
That would include for instance a single IP ACL applied inbound and single IP ACL applied outbound.Ĭisco best practices for creating and applying ACLs Only two ACLs are permitted on a Cisco interface per protocol. There are a variety of ACL types that are deployed based on requirements. The purpose is to filter inbound or outbound packets on a selected network interface. Cisco ACLs are characterized by single or multiple permit/deny statements.