478 Chapter 7: Understanding Access List Security
Access lists for filtering packets are covered next; SAP filters are covered in the section "SAP
Access Lists."
IPX Packet Filters (Access Lists)
Packet filters in the Cisco IOS use the same general logic for any Layer 3 protocol. Figure 7-6
outlines the path an IPX packet can take through a router. The comments following the figure
describe the basic logic behind IPX access lists.
Features of the process described in Figure 7-6 are as follows:
·
Packets can be filtered as they enter an interface, before the routing decision.
·
Packets can be filtered before they exit an interface, after the routing decision.
·
"Deny" is the term used in the IOS to imply that the packet will be filtered.
·
"Permit" is the term used in the IOS to imply that the packet will not be filtered.
·
The filtering logic is configured in the access list.
The logic created by an access list, as shown in the diamond-shaped symbols in Figure 7-6, is
best summarized by the following sequence of events:
Step 1
The matching parameters of the first access list statement are
compared to the packet.
Step 2
If a match is made, the action defined in this access list statement
(permit or deny) is performed, as shown in Figure 7-6.
Step 3
If a match is not made in Step 2, repeat Steps 1 and 2 using the
next sequential access list statement.
Step 4
If no match is made with an entry in the access list, the deny action
is performed.
Table 7-9
IPX Access List EXEC Commands
Command
Function
show ipx interface
Includes reference to the access lists enabled on
the interface
show access-list number
Shows details of all configured access lists for all
protocols
show ipx access-list
Shows details of all IPX access lists
ch07.fm Page 478 Monday, March 20, 2000 5:14 PM