Access List Testing Process:
1) Access lis statements operate in a sequential,logical order.They evaluate packets from the top down,one statement at a time.Placing more frequent access list statements at the top statements at the top will reduce CPU overhead for the router.2) If a packet header and an access list statement match,the rest of the statements are skipped,and the packet is either permitted or denied.
3) If a packet header does not match an access l,it is tested against the next statement in the list until the end of the list is reached,at which time the packet is denied by an implicit deny.
Access List rules/notes:
Access lists do not act on packets originating from the router itself (Telnet to another router).When an IP packet is discarded,ICMP returns a special packet to notify the sender that the destination is unreachable.
There can be only one accss list per protocol,per direction,per port or interface.
IP access list should be created with the ACCESS-LIST command before being applied to an interface.After the list is created,it may be applied with the IP ACCESS-GROUP[ command.
Announced in Cisco IOS 11.2,the named IP access list feature allows IP standard and extended access list to be identified with an alphanumeric string instead of the current numeric (1 to 199) representations.
An example to remove an access list from an interface:
1. INTERFACE S02. NO ACCEESS-GROUP 105
0 comments:
Post a Comment