10-6
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 10 Controlling Network Access with Access Control Lists
Access Control List Overview
Redistributing OSPF Routes (Standard)
Single context mode only
Standard ACLs include only the destination address. You can use a standard ACL with the route-map
command to control the redistribution of OSPF routes, perform the following tasks:
1. Create the ACL according to the “Adding a Standard Access Control List” section on page 10-17.
2. Create a route map and apply it according to the “Redistributing Routes Between OSPF Processes”
section on page 8-6.
Access Control List Guidelines
See the following guidelines for creating ACLs:
• Access Control Entry Order, page 10-6
• Access Control List Implicit Deny, page 10-6
• Access Control List Commit, page 10-6
• Maximum Number of ACEs, page 10-7
• IP Addresses Used for Access Control Lists When You Use NAT, page 10-7
• Inbound and Outbound Access Control Lists, page 10-10
Access Control Entry Order
An ACL is made up of one or more Access Control Entries (ACEs). Depending on the ACL type, you
can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP
type (for ICMP), or the EtherType.
Each ACE that you enter for a given ACL name is appended to the end of the ACL.
The order of ACEs is important. When the FWSM decides whether to forward or drop a packet, the
FWSM tests the packet against each ACE in the order in which the entries are listed. After a match is
found, no more ACEs are checked. For example, if you create an ACE at the beginning of an ACL that
explicitly permits all traffic, no further statements are ever checked.
Access Control List Implicit Deny
ACLs have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass.
For example, if you want to allow all users to access a network through the FWSM except for particular
addresses, then you need to deny the particular addresses and then permit all others.
Access Control List Commit
When you add an ACE to an ACL, the FWSM activates the ACL by committing it to the network
processors. The FWSM waits a short period of time after you last entered an access-list command and
then commits the ACL. This waiting period minimizes the number of times the FWSM commits the
ACL. If you enter multiple ACEs within the short waiting period, or paste ACEs at the command prompt,
then the FWSM does not commit the ACL until the waiting period has passed and you do not enter more
entries. The FWSM displays a message similar to the following after it commits the ACL:
Access Rules Download Complete: Memory Utilization: < 1%
To Next Page
Loading...
Need help?
General