Access lists express the set of rules
that give added control for packets that enter inbound interfaces,
packets that relay through the router, and packets that exit outbound
interfaces of the router. Access lists do not act on packets that
originate in the router itself.
The beginning of the process is the
same regardless of whether access lists are used: As a packet enters
an interface, the router checks to see whether it is routable (or
bridgeable). If either situation is false, the packet will be dropped.
A routing table entry indicates a destination network, some routing
metric or state, and the interface to use.
Next the router checks to see whether
the destination interface is grouped to an access list. If it is not,
the packet can be sent to the output buffer; for example, if it will
use To0, which has no access lists in effect, the packet uses To0
directly.
Interface E0 has been grouped to an
extended access list. The administrator used precise, logical
expressions to set the access list. Before a packet can proceed to
that interface, it is tested by a combination of access list
statements associated with that interface.
Based on the extended access list
tests, the packet can be permitted. For inbound lists, this means
continue to process the packet after receiving it on an inbound
interface. For outbound lists, this means send it to the output buffer
for E0; otherwise test results can deny permission. This means discard
the packet. The router's access list provides firewall control to deny
use of the E0 interface. When discarding packets, some protocols
return a special packet to the sender. This notifies the sender of the
unreachable destination.
|