Note
The noninitial fragment packet contains only Layer 3 information, not Layer 4 information, although the
ACL may contain both Layer 3 and Layer 4 information.
Note
Figure 2-4 is taken from the Cisco documentation URL listed here. For more details on ACLS and IP
Fragments, visit http://www.cisco.com/warp/public/105/acl_wp.html.
Guidelines for Implementing ACLs
Following are some general guidelines to consider when implementing ACLs:
ACLs can be applied to multiple interfaces on a device.
Only one ACL is allowed per protocol per interface per direction. This means that you can have two ACLs
per interface??”one inbound and one outbound.
ACLs are processed from the top down. The order of the access-list entries needs to be planned carefully.
More specific entries must appear first.
When entering the ACL, the router appends the access control entries (ACEs) at the bottom. In newer IOS
versions that have sequencing function, it is possible to insert ACE entries between current entries.
There is an "implicit deny" for traffic that is not permitted. A single-entry ACL with only one deny
statement has the effect of denying all traffic. An ACL must have at least one permit statement;
otherwise, all traffic is blocked.
Pages:
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89