For more IT articles and tips specific to small and midsized businesses, visit SearchSMB.com.
Everybody knows the basics about using access control lists. They've been around forever, and are required for everything from simple filtering to configuring
Requires Free Membership to View
routing protocols and QoS policies. However, a lot has changed over the years and you now have a lot more control about the mechanics of how they're implemented. If you haven't studied them lately, I recommend investigating the following:
- Depending on the hardware and software version, the ACL can be processed in hardware or software. On newer equipment, the way you configure your switch or router will determine where processing takes place. Obviously, hardware is much faster, and if you're not paying attention, you could wind up with serious performance problems if the software causes the CPU to become a bottleneck.
- Even if you configure your ACLs to be processed in hardware, the logging of the ACLs may be done in software. Think before you indiscriminately log everything.
- The points at which you can apply ACLs have evolved. For instance, you can now apply VLAN ACLs, which controls traffic as it is bridged between any ports in a VLAN. This is much more powerful than the old router-interface-only method.
- You may be able to tune the hardware resources. For instance, on Cisco 3750 switches, you can apply TCAM templates, based on whether you're using the switch for Layer 3 or Layer 2.
- Dynamic and Downloadable ACLs can dramatically improve the way you manage your network by giving you flexibility and centralized management.
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.
This was first published in August 2004