Posted in Networking

Designing Access Lists

After you have created an access list, you must apply it to an interface. In many cases, this means you will need to decide which router, with port, and which direction to apply the access list to. Keep in mind the following:

  • Each interface can only have one inbound and one outbound access list for each protocol. This means that an interface can have either a standard inbound or an extended inbound IP access list, but not both.
  • You can have two access lists for the same direction applied to an interface if the lists restrict different networking protocols. For example, you can have one outbound IP access list and one outbound IPX access list.
  • When constructing access lists, place the most restrictive statements at the top. Traffic is matched to access list statements in the order they appear in the list. If traffic matches a statement high in the list, subsequent statements will not be applied to the traffic.
  • Each access list has an implicit deny any statement at the end of the access list. Your access list must contain at least one allow statement, or no traffic will be allowed.
  • Access lists applied to inbound traffic filter packets before the routing decision is made. Access lists applied to outbound traffic filter packets after the routing decision is made.
  • As a general rule, apply extended access lists as close to the source router as possible. This keeps the packets from being sent throughout the rest of the network.
  • As a general rule, apply standard access lists as close to the destination router as possible. This is because standard access lists can only filter on source address. Placing the list too close to the source will prevent any traffic from the source from getting to any other parts of the network.
  • When making placement decisions, carefully read all access lists statements and requirements. Identify blocked and allowed traffic, as well as the direction that traffic will be traveling. Place the access list on the interface where a single list will block (or allow) all necessary traffic.

 

Author:

Teman yang baik, teman yang memaksa anda untuk terus berkembang...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s