Cisco Systems CCNA 2 manual Placing ACLs, Firewalls

Then enter extended or standard:

rt1(config)#ip access-list extended ?

<100-199> Extended IP access-list number

The name used is named_ACL:

rt1(config)#ip access-list extended named_ACL rt1(config-ext-nacl)#

From this point the ACL will work like any other extended ACL.

11.2.4 Placing ACLs

ACLs are used to control traffic by filtering packets and eliminating unwanted traffic on a network. Another important consideration of when ACLs are implemented is the placement of the access list. The ACL should be placed where it has the greatest impact on increased efficiency. The general rule is to put the extended ACLs as close as possible to the source of the traffic that is denied. Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible. For example, a standard ACL should be placed on Fa0/0 of Router D to prevent traffic from Router A.

Administrators can only place access lists on devices that they control.

A standard ACL should be placed close to the destination. First, have the students decide which router is closest to the destination and then pick which interface is the closest to the destination. An ACL can be applied to any of the interfaces, but if an ACL is applied to the wrong interface a negative result is possible. The extended ACL should be placed closest to the source. Have the students decide which router is closest and then choose the correct interface. The in or out commands also need to be correct or the ACL will not work. Students commonly forget to apply the ACL or filter in the wrong direction.

11.2.5 Firewalls

A firewall is an architectural structure that exists between the user and the outside world to protect the internal network from intruders. A network firewall usually consists of several different machines that work together to prevent unwanted and illegal access. ACLs should be used in firewall routers, which are often positioned between the internal network and an external network, such as the Internet.

ACLs must be configured on border routers, which are routers situated on the boundaries of the network, to provide security benefits. CCNA 2 will cover standard, extended, and named ACLs. Other types will be covered in the CCNP classes.