448
Chapter 11
Access Policies
This is only an overview of access lists. For a detailed explanation, please see
CCNA: Cisco Certified Network Associate Study Guide, by Todd Lammle
(Sybex, 2000), and CCNP: Routing Study Guide, by Todd Lammle and Sean
Odom (Sybex, 2000).
The IP and IPX access lists work similarly--they're both packet filters that
packets are compared with, categorized by, and acted upon. Once the lists
are built, they can be applied to either inbound or outbound traffic on any
interface. Applying an access list will then cause the router to analyze every
packet crossing that interface in the specified direction and take action
accordingly.
There are a few important rules a packet follows when it's being com-
pared with an access list:
It's always compared with each line of the access list in sequential
order; that is, it'll always start with line 1, then go to line 2, then
line 3, and so on.
It's compared with lines of the access list only until a match is made.
Once the packet matches a line of the access list, it's acted upon, and
no further comparisons take place.
There is an implicit "deny" at the end of each access list--this means
that if a packet doesn't match up to any lines in the access list, it'll be
discarded.
Each of these rules has some powerful implications when IP and IPX
packets are filtered with access lists.
There are two types of access lists used with IP and IPX that we will dis-
cuss here:
Standard access lists These use only the source IP address in an IP
packet to filter the network. This basically permits or denies an entire
suite of protocols. IPX standards can filter on both source and destination
IPX addresses. IP standard access lists use numbers 199 and IPX stan-
dard access lists use numbers 800899.
Extended access lists These check for both source and destination IP
addresses, the protocol field in the Network layer header, and the port
number at the Transport layer header. IPX extended access lists use the
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com