ECE495 Chapter Notes - Chapter 1: Cisco Ios, Integrated Services Digital Network, Access Control
SchoolUniversity of Alberta
DepartmentElectrical and Computer Engineering
This preview shows half of the first page. to view the full 3 pages of the document.
PIX/ASA Access Control Lists v1.11 – Aaron Balchunas
* * *
All original material copyright © 2008 by
Aaron Balchunas (email@example.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
- PIX/ASA Access Control Lists -
Basics of Access Control Lists (ACLs)
Access control lists (ACLs) can be used for two purposes on Cisco devices:
• To filter traffic
• To identify traffic
Access lists are a set of rules, organized in a rule table. Each rule or line in
an access-list provides a condition, either permit or deny:
• When using an access-list to filter traffic, a permit statement is used to
“allow” traffic, while a deny statement is used to “block” traffic.
• Similarly, when using an access list to identify traffic, a permit
statement is used to “include” traffic, while a deny statement states
that the traffic should “not” be included. It is thus interpreted as a
Filtering traffic is the primary use of access lists. However, there are several
instances when it is necessary to identify traffic using ACLs, including:
• Identifying interesting traffic to bring up an ISDN link or VPN tunnel
• Identifying routes to filter or allow in routing updates
• Identifying traffic for QoS purposes
When filtering traffic, access lists are applied on interfaces. As a packet
passes through a device, the top line of the rule list is checked first, and the
device continues to go down the list until a match is made. Once a match is
made, the packet is either permitted or denied.
There is an implicit ‘deny all’ at the end of all access lists. You don’t create
it, and you can’t delete it. Thus, access lists that contain only deny
statements will prevent all traffic.
You're Reading a Preview
Unlock to view full version