Cisco Access Lists
You can use ACLs to provide packet filtering at the router level. You can use ACLs extensively at a firewall to protect your internal network from the outside world. This section outlines the different types of ACLs that are available to you and the rules (we prefer the word guidelines) for creating ACLs. A wide variety of ACLs can be leveraged to provide additional layers of security on your network. We talk about a few types of access lists.
When building ACLs, note that there is an implicit deny statement at the end of the access list.
Standard ACLs filter traffic based on the network only, and they are not as granular as the extended ACLs. Standard IP access lists range from 1 to 99.
Extended access lists are more granular and can be used to provide filtering based upon source and destination IP addresses, TCP/UDP ports, and protocols. Extended access lists range from 100 to 199.
You can apply ACLs in two directions:
InboundInbound ACLs are subjected to all traffic coming into the router through an interface.
OutboundOutbound ACLs are subjected to all traffic leaving the router's interface.
ACLs are applied on the router at interface level and not at global level. ACLs are created at global level.
Starting with IOS version 12.0(6)S and higher, you can compile access lists on certain Cisco routers. This concept is called Turbo ACLs. Turbo ACL compiles the access list into lookup tables. Packet headers are used to access these lookup tables in small and fixed numbers of lookups. Note that this command was introduced with the high-end Cisco routers, namely the Cisco 7200 series.
Another way of securing Cisco routers is via context-based access control (CBAC). CBAC examines packets as they enter or leave the router's interfaces. This process also determines what application protocol to allow. CBAC was introduced in version 12.0T.