You can use ACLs to provide packet filtering at the router level. You can use ACLs extensively at a firewall to protect your internal network from the outside world. This section outlines the different types of ACLs that are available to you and the rules (we prefer the word guidelines ) for creating ACLs. A wide variety of ACLs can be leveraged to provide additional layers of security on your network. We talk about a few types of access lists.
StandardStandard ACLs filter traffic based on the network only, and they are not as granular as the extended ACLs. Standard IP access lists range from 1 to 99. ExtendedExtended access lists are more granular and can be used to provide filtering based upon source and destination IP addresses, TCP/UDP ports, and protocols. Extended access lists range from 100 to 199. You can apply ACLs in two directions:
Starting with IOS version 12.0(6)S and higher, you can compile access lists on certain Cisco routers. This concept is called Turbo ACLs . Turbo ACL compiles the access list into lookup tables. Packet headers are used to access these lookup tables in small and fixed numbers of lookups. Note that this command was introduced with the high-end Cisco routers, namely the Cisco 7200 series. Another way of securing Cisco routers is via context-based access control (CBAC). CBAC examines packets as they enter or leave the router's interfaces. This process also determines what application protocol to allow. CBAC was introduced in version 12.0T. |