A transit ACL is developed using the following guidelines:
Using antispoofing protection based on best practices from the following three RFCs:
- RFC 1918??”Private address space not routable on the Internet
- RFC 3330??”Special use addresses that might require filtering
- RFC 2827??”Antispoofing guidelines
Explicitly permitting return traffic for all connections originating from the internal network to the Internet
Explicitly permitting externally sourced traffic that is originating from the external network destined to the
protected internal network
Explicitly using a deny statement toward the end of the ACL
Visit the Cisco documentation URL shown in the Tip that follows for an example of transit ACL.
Tip
For further details on transit ACLs and basic configuration templates, refer to
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Classification ACLs
Another common type of ACL is the classification, also commonly known as characterization ACL. It is initially
composed with all permit statements for the various protocols, ports, flags, and so on that could be sent to any
of these three destinations: an infrastructure device, a public server in the protected zone, or any other device
in the network.
Pages:
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107