Access Lists
465
There are a few important rules a packet follows when it's being com-
pared with an access list:
It's always compared with each line of the access list in sequential order,
i.e., it'll always start with line 1, then go to line 2, then line 3, and so on.
It's compared with lines of the access list only until a match is made.
Once the packet matches a line of the access list, it's acted upon, and
no further comparisons take place.
There is an implicit "deny" at the end of each access list--this means
that if a packet doesn't match up to any lines in the access list, it'll be
discarded.
Each of these rules has some powerful implications when filtering IP and
IPX packets with access lists.
There are two types of access lists used with IP and IPX:
Standard access lists
These use only the source IP address in an IP
packet to filter the network. This basically permits or denies an entire
suite of protocols. IPX standards can filter on both source and destination
IPX address.
Extended access lists
These check for both source and destination IP
address, protocol field in the Network layer header, and port number at
the Transport layer header. IPX extended access lists use source and
destination IPX addresses, Network layer protocol fields, and socket
numbers in the Transport layer header.
Once you create an access list, you apply it to an interface with either an
inbound or outbound list:
Inbound access lists
Packets are processed through the access list before
being routed to the outbound interface.
Outbound access lists
Packets are routed to the outbound interface and
then processed through the access list.
There are also some access list guidelines that should be followed when
creating and implementing access lists on a router:
You can only assign one access list per interface, per protocol, or per
direction. This means that if you are creating IP access lists, you
can only have one inbound access list and one outbound access list
per interface.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com