Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACL best practices

What are the best practices when dealing with ACLs?

For example, if I have network and in here the only outbound traffic these hosts need to reach is any destination at port 8584, then will only 1 ACL applied in the IN direction suffice?

What about a second ACL applied in the OUT direction? will this be needed? the servers on the networks need to be protected and they only expect outside hosts initiating connections destined to port 4999 on a host

What is the best approach possible to a situation like this? security is the number one concern and we assume that hackers will be testing this heavily.


Re: ACL best practices

It depends. What device(s) are you using? If there is high risk associated with this, you may also want to limit tcp connections, use CoPP, etc. Does the host ever initiate communications eg updates, NTP, authentication, etc?

Community Member

Re: ACL best practices

lol, there is a concern but at least not that heavy to support the implementation of CoPP.

It is an 1800 series router. The hosts only initiate connections to one or 2 ports, and host takes connections at port 4999.

With these requirements, I'd suspect an IN ACL will be applied to the interface and this ACL will only allow the internal hosts to reach ANY destination at only 2 ports.

But what about for connections destined (in other words, initiated on the outside) to these hosts, especially host How will that be protected?

Re: ACL best practices

Use an inbound ACL on the outside interface of the 1800 to protect your internal hosts. Permit only the traffic you need deny the rest.

If security is the primary concern put a stateful firewall in the path.

Community Member

Re: ACL best practices

Although is an IOS router, what's the closest we can configure it to an Stateful Firewall? by enabling the inspection engines?

Re: ACL best practices

You probably won't need to use the stateful firewall. Let's use some examples-

access-list 100 permit tcp any host eq 4999

access-list 101 permit tcp any any eq 8584

Let's assume that port FastEthernet0/0 is on the network and FastEthernet0/1 is the "outside".

interface FastEthernet0/0

ip access-group 101 in

interface FastEthernet0/1

ip access-group 100 in

This applies the ACL to the interface in the IN direction. This means traffic that enters the interface from the local connection.

We could also do this-

interface FastEthernet0/0

ip access-group 100 out

interface FastEthernet0/1

ip access-group 101 out

This applies the ACL to the interface in the OUT direction. This means traffic that enters through the router and out to the the local connection.

The fundamental purpose here (and this applies to configuring the inspection engine as well) is if your router has multiple interfaces, where do you want to apply restriction/inspection? Let's say you have 4 interface on a router; we'll call them inside, outside, dmz1 and dmz2. If we want to restrict traffic from the outside to the interfaces, would it make sense to block OUT at inside, dmz1, and dmz2? Not really, because we can block everything at one interface, the outside interface. The same goes for outbound traffic. In this case inspection makes it clearer. We want to inspect all traffic leaving the router. You have two options; create an inspection rule for the inside interface, another for dmz1, and another for dmz2. What you should do is create 1 inspection rule and apply it to the outside interface. These are not hard and fast rules, either option will work and may vary depending on your situtation. One is a cleaner, less resource intensive configuration. Remember the old rule, Restrict traffic as close to the source as possible.

Community Member

Re: ACL best practices

Thank you very much for the answer.

Which one do you mean is cleaner and less resource intensive? I assume the ACL, right? can you confirm?

Enabling the inspection engines on IOSs have given me some problems in the past, so this is the reason I assume that enabling them is more cpu intense for the router. let me know


Re: ACL best practices

It's cleaner, meaning it's standard practice. It less resource intensive becuase the router block unwanted packets before routing/inspecting/nbar/etc.

CreatePlease to create content