Home > Articles > ACL Concepts

ACL Concepts

Chapter Description

In this sample chapter from Enterprise Networking, Security, and Automation Companion Guide (CCNAv7) for Cisco Networking Academy students, you will explore differences between standard and extended IPv4 ACLs.

Guidelines for ACL Creation (4.3)

This section provides guidelines for creating ACLs.

Limited Number of ACLs per Interface (4.3.1)

In a previous section, you learned about how wildcard masks are used in ACLs. This section discusses guidelines for ACL creation. There is a limit on the number of ACLs that can be applied on a router interface. For example, a dual-stacked (that is, IPv4 and IPv6) router interface can have up to four ACLs applied, as shown in Figure 4-3.


Figure 4-3 ACLs Limited on Interfaces

Specifically, a dual-stacked router interface can have

  • One outbound IPv4 ACL

  • One inbound IPv4 ACL

  • One inbound IPv6 ACL

  • One outbound IPv6 ACL

Say that R1 has two dual-stacked interfaces that need to have inbound and outbound IPv4 and IPv6 ACLs applied. As shown in Figure 4-4, R1 could have up to 8 ACLs configured and applied to interfaces.


Figure 4-4 ACLs Limit Example

In this case, each interface would have four ACLs: two ACLs for IPv4 and two ACLs for IPv6. For each protocol, one ACL is for inbound traffic and one for outbound traffic.

ACL Best Practices (4.3.2)

Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of downtime, troubleshooting efforts, and network service. Basic planning is required before configuring an ACL.

Table 4-10 presents some ACL best practices.

Table 4-10 Guidelines for ACLs



Base ACLs on the organization’s security policies.

This will ensure that you implement organizational security guidelines.

Write out what you want an ACL to do.

This will help you avoid inadvertently creating potential access problems.

Use a text editor to create, edit, and save all your ACLs.

This will help you create a library of reusable ACLs.

Document ACLs by using the remark command.

This will help you (and others) understand the purpose of an ACE.

Test ACLs on a development network before implementing them on a production network.

This will help you avoid costly errors.

7. Types of IPv4 ACLs (4.4) | Next Section Previous Section

There are currently no related articles. Please check back later.