Follow these general principles to ensure that the ACLs you create have the intended
results:
?– Based on the test conditions, choose a standard or extended, numbered, or named ACL.
?– Only one ACL per protocol, per direction, and per interface is allowed. Multiple ACLs are
permitted per interface, but each must be for a different protocol or different direction.
?– Your ACL should be organized to enable processing from the top down. Organize your ACL
so that the more speci?¬?c references to a network or subnet appear before ones that are more
general. Place conditions that occur more frequently before conditions that occur less
frequently.
214 Chapter 6: Managing Traffic with Access Control Lists
?– Your ACL contains an implicit deny any statement at the end:
??” Unless you end your ACL with an explicit permit any statement, by default, the ACL
denies all traf?¬?c that fails to match any of the ACL lines.
??” Every ACL should have at least one permit statement. Otherwise, all traf?¬?c is
denied.
?– You should create the ACL before applying it to an interface. With most versions of Cisco IOS
Software, an interface that has an empty ACL applied to it permits all traf?¬?c.
Pages:
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326