Guidelines

How to Create an ACLs – General Guidelines

Create an ACLs and configuration is not an easy task. There may be multiple policies required to create an ACLs and Its management. Suppose we have a router with two interfaces. Both interfaces configured with IPv4 and IPv6.

If we required ACLs for both IPv4 and IPv6, on both interfaces and in both directions (inbound and outbound), each interface required four ACLs: one ACL for IPv4, one ACL for IPv6, one ACL for inbound traffic, and one ACL for outbound traffic.

These are a total of eight separate ACLs. ACLs do not have to be configured for both inbound and outbound directions. The number of ACLs and their direction applied to the interface generally depend on the requirements of the network. The general guidelines for using ACLs are the following:

  • Use an Access Control List (ACL) in routers positioned between an internal network and an external network, generally in a firewall router.
  • Use an Access Control List (ACL) on a router positioned between two parts of your network to control traffic entering or exiting a specific part.
  • We can also configure the Access Control List (ACL) on border routers positioned at the edges of the networks.
  • Configure the Access Control List (ACL) for all network protocols using the border router interfaces.

The Three P’s

The three P’s are important in ACL guidelines. We can configure one ACL Per protocol, Per direction, Per interface:

  • One ACL per protocol – To control traffic flow on an interface an ACL must be defined for each protocol enabled on the interface, for example, IP, IPX, AppleTalk.
  • One ACL per direction– ACLs can control traffic only in one direction at a time on an interface. So, two separate ACLs must be configured to control inbound and outbound traffic.
  • One ACL per interface– ACLs control traffic for an interface, for example, GigabitEthernet 0/0 or FastEthernet 0/1.
Avatar of Asad Ijaz

Asad Ijaz

NetworkUstad's lead networking architect with CCIE certification. Specializes in CCNA exam preparation and enterprise network design. Authored 2,800+ technical guides on Cisco systems, BGP routing, and network security protocols since 2018. Picture this: I'm not just someone who writes about tech; I'm a certified expert in the field. I proudly hold the titles of Cisco Certified Network Professional (CCNP) and Cisco Certified Network Associate (CCNA). So, when I talk about networking, I'm not just whistling in the dark; I know my stuff! My website is like a treasure trove of knowledge. You'll find a plethora of articles and tutorials covering a wide range of topics related to networking and cybersecurity. It's not just a website; it's a learning hub for anyone who's eager to dive into the world of bits, bytes, and secure connections. And here's a fun fact: I'm not a lone wolf in this journey. I'm a proud member and Editor of Team NetworkUstad. Together, we're on a mission to empower people with the knowledge they need to navigate the digital landscape safely and effectively. So, if you're ready to embark on a tech-savvy adventure, stick around with me, Asad Ijaz Khattak. We're going to unravel the mysteries of technology, one article at a time!"