CCIE Pursuit Blog

September 21, 2007

Access-List Options

Filed under: Cisco,Cisco Certification,IOS — cciepursuit @ 11:44 am

Here are a couple of interesting access-list options from David Davis at Tech Republic (you may need to get an account to access the page):

Compiled (Turbo) ACL

If you have long and complex ACLs, I recommend enabling the Turbo ACL feature, available on newer routers with newer IOS versions. (The IOS disables this feature by default.)

With Turbo ACL, tables built into the router’s memory help the router speed the processing of traffic through ACLs. Whenever you modify the ACLs, this triggers the router to recompile the ACL. Here’s how you enable Turbo ACLs:

Router(config)# access-list compiled
ACLs that only allow established TCP connections

Another interesting parameter for Cisco IOS ACLs is the established option. With the established parameter, you can create an ACL that only allows TCP traffic matching the ACL that has an ACK or RST bit set. That would deny any TCP traffic trying to create a new TCP session. Here’s an example:

Router(config)# access-list 120 permit tcp any 1.1.1.0 0.0.0.255 establishedThis line, taken from a larger ACL, permits only TCP traffic going to the 1.1.1.0 network that’s already established. So, it only permits responses to connections already initiated (i.e., set up) in the opposite direction.

This is similar to a stateless firewall that allows already-connected traffic; however, in this situation, we don’t know what that traffic actually is. We’re assuming that any TCP response we receive was a real request.

Blog at WordPress.com.