How ACLs work
11.1.2 An ACL is made up of statements that define whether packets are accepted or rejected at inbound and outbound interfaces. This page will explain how these statements are edited and added to an ACL. These decisions are made by matching a condition statement in an access list and then performing the accept or reject action defined in the statement.
11.1.2 An ACL is made up of statements that define whether packets are accepted or rejected at inbound and outbound interfaces. This page will explain how these statements are edited and added to an ACL. These decisions are made by matching a condition statement in an access list and then performing the accept or reject action defined in the statement.
The order in which ACL statements are placed is important. The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. Once a match is found in the list, the accept or reject action is performed and no other ACL statements are checked. If a condition statement that permits all traffic is located at the top of the list, no statements added below that will ever be checked.
If additional condition statements are needed in an access list, the entire ACL must be deleted and recreated with the new condition statements. To make the process of revising an ACL simpler it is a good idea to use a text editor such as Notepad and paste the ACL into the router configuration.
The beginning of the router process is the same, whether ACLs are used or not. As a frame enters an interface, the router checks to see whether the Layer 2 address matches or if it is a broadcast frame. If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface. If an ACL exists, the packet is now tested against the statements in the list. If the packet matches a statement, the packet is either accepted or rejected. If the packet is accepted in the interface, it will then be checked against routing table entries to determine the destination interface and switched to that interface. Next, the router checks whether the destination interface has an ACL. If an ACL exists, the packet is tested against the statements in the list. If the packet matches a statement, it is either accepted or rejected. If there is no ACL or the packet is accepted, the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device.
As a review, ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked. If all the ACL statements are unmatched, an implicit deny any statement is placed at the end of the list by default. The invisible deny any statement at the end of the ACL will not allow unmatched packets to be accepted. When first learning how to create ACLs, it is a good idea to add the deny any at the end of ACLs to reinforce the dynamic presence of the implicit deny.
The next page will describe how ACLs are created
No comments:
Post a Comment