466
Chapter 9
Managing Traffic with Access Lists
Organize your access lists so that the more specific tests are at the top
of the access list.
Any time a new entry is added to the access list, it will be placed at the
bottom of the list.
You cannot remove one line from an access list. If you try to do this, you
will remove the entire list. It is best to copy the access list to a text editor
before trying to edit the list. The only exception is when using named
access lists.
Unless your access list ends with a
permit
any
command, all packets
will be discarded if they do not meet any of the lists' tests. Every
list should have at least one permit statement, or you might as well
shut the interface down.
Create access lists and then apply them to an interface. Any access list
applied to an interface without an access list present will not filter traffic.
Access lists are designed to filter traffic going through the router. They
will not filter traffic that has originated from the router.
Place IP standard access lists as close to the destination as possible.
Place IP extended access lists as close to the source as possible.
Standard IP Access Lists
Standard IP access lists filter the network by using the source IP address in
an IP packet. You create a
standard IP access list
by using the access-list
numbers 199.
Below is an example of the access-list numbers that you can use to filter
your network. The different protocols that you can use with access lists
depend on your IOS version.
RouterA(config)#
access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<200-299> Protocol type-code access list
<300-399> DECnet access list
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com