| An access list is a sequential
collection of permit and deny conditions that applies to IP
addresses. The router tests addresses against the conditions in an
access list one by one. The first match determines whether the
router accepts or rejects the packet. Because the router stops
testing conditions after the first match, the order of the
conditions is critical. If no conditions match, the router rejects
the packet.
Note that in the main figure when no more entries are found in
the access list, the packet is denied, illustrating an important
concept to remember when creating access lists. The last entry in an
access list is what is known as an "implicit deny any."
All traffic not explicitly permitted will be implicitly denied.
For inbound standard access lists, after receiving a packet, the
router checks the source address of the packet against the access
list. If the access list permits the address, the router exits the
access list and continues to process the packet. If the access list
rejects the address, the router discards the packet and returns an
Internet Control Message Protocol (ICMP) "Admin Denied" message.
Note: When configuring access lists, order is important.
Make sure that you list the entries in order from specific to
general. To filter a specific host address and then permit all other
addresses, for example, make sure your entry about the specific host
appears first.
|