background image
IP Access Lists
329
F I G U R E 6 . 1 0
Flowchart process of a standard access list
Stepping through the flowchart, you can see that the packet arrives at the
specific interface through which it must enter or leave. The router's first step
is to check whether there is an access list applied to the interface. If so, it
passes through each line of the access list until the packet's source address
matches one of the source addresses listed. If the packet fails to match any of
the source addresses, it is denied. However, if the packet's source address
does find a match in the list, the packet is then subjected to any condition
applied on that line of the access list. The two conditional possibilities are to
deny the packet or permit it. When a packet is denied, it's dropped; when it's
permitted, it's forwarded to the next hop.
Exiting packets are first routed to the exiting interface and then verified
by the access list, which determines whether the packet will be dropped or
forwarded through the interface. Incoming packets arrive from the forward-
ing machine or router, and are then checked against the access list. If the
packet is permitted by the list, the packet is accepted through the interface
and forwarded to the exit interface.
This is important information to understand when troubleshooting any
access list. It does depend on whether the packet is incoming or outgoing, so
you can tell which interfaces to look at and analyze access lists for.
Troubleshooting standard access lists is very simple because they are
based on only one criterion, the source IP address. The basic method of
troubleshooting an access list is to read it line-by-line, and analyze it to deter-
mine whether any lines are out of order or typed incorrectly.
Permit
Deny
Yes
Yes
Yes
No
No
No
Incoming packet
Access list applied
to interface
Match IP
Source address
Deny/Permit
Check line
criteria
Another line
Drop packet
Forward packet
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com