Distribution Layer Policy
449
source and destination IPX addresses, the Network layer protocol field,
and socket numbers in the Transport layer header. IP extended access lists
use numbers 100199 and IPX extended access lists use numbers 900999.
Once you create an access list, you apply it to an interface with either an
inbound or outbound list:
Inbound access lists Packets are processed through the access list before
being routed to the outbound interface.
Outbound access lists Packets are routed to the outbound interface and
then processed through the access list.
There are also some guidelines that should be followed when you're cre-
ating and implementing access lists on a router:
You can assign only one access list per interface, per protocol, or per
direction. This means that if you are creating IP access lists, you can
have only one inbound access list and one outbound access list per
interface.
Organize your access lists so that the more specific tests are at the top.
When a new test statement is added to the access list, it will be placed
at the bottom of the list.
You cannot remove one line from an access list. If you try to, you will
remove the entire list. It is best to copy the access list to a text editor
before trying to edit the list. The only exception is when you're using
named access lists.
Unless your access list ends with a permit any command, all packets
will be discarded if they do not meet any of the list's tests. Every list
should have at least one permit statement, or you might as well shut
the interface down.
Create access lists and then apply them to an interface. Any access list
applied to an interface without an access-list present will not filter
traffic.
Access lists are designed to filter traffic going through the router. They
will not filter traffic originating from the router.
Place IP standard access lists as close to the destination as possible.
Place IP extended access lists as close to the source as possible.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com