ADC Telecommunications, Inc.
330 C
HAPTER 15: IP PACKET FILTERING
Understanding Access Lists
Access lists are sequential groupings of permit and deny rules. These rules
enable you to permit or deny packets from crossing specified interfaces. An
access list is comprised of both match criteria and actions to take upon
finding a match.
Match criteria can include:
■ Source IP address
■ Destination IP address
■ Source TCP/UDP port
■ Destination TCP/UDP port
■ TCP Sync Flag
■ TCP Establish State
■ IP Type of Service (TOS)
Actions that can be taken against matching packets include:
■ Permit
■ Deny
■ Change IP TOS
Access lists are pooled and indexed on a system-wide basis. As such, you can
create access-lists in either root mode, or interface configuration mode.
Access lists are then only used by an interface when you enable IP filtering
on the interface and apply the predefined access-lists to the interface using
the access-class command. Each access-list is identified by a list number
that you define when creating the list.
You cannot modify an existing access list, which means that if you want to
change an access list, you must delete it and then recreate it with the same
name.