Outbound ACL
Examine the pseudocode that follows to accept packet processing. Back an outbound ACL is activated on an
interface, the router aboriginal performs a avenue lookup for the destination abode in the acquisition table to determine
the avenue (egress) interface.
Code View:
if {valid aisle begin in acquisition table} then
if {a bout is found} then
if {the activity is to permit) then
{router continues to activity the packet}
else {the activity is to deny} then
{router discards the packet sending an ICMP Unreachable bulletin to the source
address in the packet - bold this is not disabled}
endif
else {a bout is not found} then
{with the absence 'implicit deny' statement—the router discards the packet,
sending an ICMP Unreachable message}
endif
else {valid aisle not begin in acquisition table, the router drops the packet}
endif
Figure 2-3 shows the analytic flowchart for how a packet is candy adjoin an entering or outbound ACL.
Figure 2-3. Life of a Packet Undergoing the ACL Process
[View abounding admeasurement image]
Packet Flow Rules for Assorted Packet Types
The packet flowchart apparent in Figure 2-4 demonstrates how ACL rules are activated to assorted packet types such
as nonfragments, antecedent fragments, and noninitial bits that are arrested adjoin an ACL.
Figure 2-4. ACL Flow for Non-fragments, Antecedent Fragments, and Non-initial Fragments
[View abounding admeasurement image]
RFC 1858 covers aegis considerations for IP fragment clarification and highlights two attacks with two defending
mechanisms involving an IP fragment attack.
Note
The noninitial fragment packet contains alone Layer 3 information, not Layer 4 information, although the
ACL may accommodate both Layer 3 and Layer 4 information.
Note
Figure 2-4 is taken from the Cisco affidavit URL listed here. For added capacity on ACLS and IP
Fragments, appointment http://www.cisco.com/warp/public/105/acl_wp.html.
Guidelines for Implementing ACLs
Following are some accepted guidelines to accede back implementing ACLs:
ACLs can be activated to assorted interfaces on a device.
Only one ACL is accustomed per agreement per interface per direction. This agency that you can accept two ACLs
per interface—one entering and one outbound.
ACLs are candy from the top down. The adjustment of the access-list entries needs to be planned carefully.
More specific entries charge arise first.
When entering the ACL, the router appends the admission ascendancy entries (ACEs) at the bottom. In newer IOS
versions that accept sequencing function, it is accessible to admit ACE entries amid accepted entries.
There is an "implicit deny" for cartage that is not permitted. A single-entry ACL with alone one deny
statement has the aftereffect of abstinent all traffic. An ACL charge accept at atomic one admittance statement;
otherwise, all cartage is blocked.
Always actualize an ACL afore applying it to the interface. Back modifying or alteration an ACL, always
remove the ACL from the interface, accomplish the changes, and again reapply the ACL to the interface.
An outbound (egress) ACL activated to a router interface checks alone for cartage traversing through the
router—that is, cartage activity through the router and not cartage basic from the router.