IPv4 traffic management and improved network performance

Use ACLs to block traffic from individual hosts, workgroups, or subnets, and to block access to VLANs, subnets, devices, and services.

Traffic criteria for ACLs include:
  • Switched and/or routed traffic

  • Any traffic of a specific IPv4 protocol type (0-255)

  • Any TCP traffic (only) for a specific TCP port or range of ports, including optional control of connection traffic based on whether the initial request should be allowed

  • Any UDP traffic or UDP traffic for a specific UDP port

  • Any ICMP traffic or ICMP traffic of a specific type and code

  • Any IGMP traffic or IGMP traffic of a specific type

  • Any of the above with specific precedence and/or ToS settings

Answering the following questions can help you to design and properly position IPv4 ACLs for optimum network usage.

  • What are the logical points for minimizing unwanted traffic, and what ACL application(s) should be used? In many cases it makes sense to prevent unwanted traffic from reaching the core of your network by configuring ACLs to drop the unwanted traffic at or close to the edge of the network. The earlier in the network path you can block unwanted traffic, the greater the benefit for network performance.

  • From where is the traffic coming? The source and destination of traffic you want to filter determines the ACL application to use (static port ACL, VACL, and dynamic port ACL).

  • What traffic should you explicitly block? Depending on your network size and the access requirements of individual hosts, this can involve creating a large number of ACEs in a given ACL (or a large number of ACLs), which increases the complexity of your solution.

  • What traffic can you implicitly block by taking advantage of the implicitdeny ip any to deny traffic that you have not explicitly permitted? This can reduce the number of entries needed in an ACL.

  • What traffic should you permit? In some cases you will need to explicitly identify permitted traffic. In other cases, depending on your policies, you can insert an ACE with "permit any" forwarding at the end of an ACL. This means that all IPv4 traffic not specifically matched by earlier entries in the list will be permitted.