An access list can act as a firewall. A
firewall filters packets and eliminates unwanted traffic at a
destination. Where the administrator places an access list statement
can reduce unnecessary traffic. Traffic that will be denied at a
remote destination should not use network resources along the route to
that destination.
Suppose an enterprise's policy aims at
denying Token Ring traffic on router A to the switched Ethernet LAN on
router D's E1 port. At the same time, other traffic must be permitted.
Several approaches can accomplish this policy.
The recommended approach uses an
extended access list. It specifies both source and destination
addresses. Place this extended access list in router A. Then, packets
do not cross router A's Ethernet, do not cross the serial interfaces
of routers B and C, and do not enter router D. Traffic with different
source and destination addresses can still be permitted.
The rule with extended access
lists is to put the extended access list as close as possible to the
source of the traffic denied.
Standard access lists do not specify
destination addresses. The administrator would have to put the
standard access list as near the destination as possible. For example,
place an access list on E0 of router D to prevent traffic from router
A.
 |
 |
Interactive
Lab Activity (Flash,
514 kB) |
|
Before
trying the actual lab, you may want to try out
this activity to test yourself on the proper
command syntax for Standard Access Control Lists
(ACLs). |
|
|
|
 |
 |
Interactive
Syntax Activity (Flash,
135 kB) |
|
Try
out this activity to test yourself on the proper
command syntax for Extended Access Control Lists
(ACLs) parameters. |
|
|
|
|