I am getting ready for my Nugget on the above subject and I wanted to provide some thoughts and notes here on the blog on this important subject.
I am currently training for a half-marathon. Yes, and thanks for putting up with all of my RunKeeper Tweets on the subject. 🙂 With the training, there are certain metrics you need to hit in order to really determine if you can finish on race day. It is the same way the CCIE. One metric is ACLs. If you do not have them mastered, you are in big trouble on race day. Think about it, you use them for traffic filtering, and then traffic identification for a whole host of features on the devices. QoS, network management, the list goes on and on.
The traffic filtering part gets really scary. Drop one in that is not doctored up for the other traffic required in your lab scenario and you can easily break things well enough to fail. And when you are building the lists, you must really take your time to ensure that you are meeting their specific directions. Are you getting the EXACT traffic they want, in the correct direction?
Here is a list of tips and things to think about for this important topic. These are in no particular order:
- Read so carefully if you need to build an ACL traffic filter. Often, you will be asked to block something extremely specific, for example, echo-replies. Should you block too generally, like requests and replies, you fail the task.
- Drawing out the scenario on your scratch paper will often help you with what specifically to match and in what direction.
- You certainly would want to avoid this in production, but in the lab it is fine to end your ACLs with deny ip any any log-input. This will allow you to see just what you broke in your lab with your ACL!
- Remember that an outbound ACL will not impact traffic generated by that local router.
- access-group is used for traffic filtering on your interfaces, while access-class is used for your VTY lines. Remember with the access-class out command, it is controlling where someone can Telnet out of your router AFTER they have already Telnetted into it.