Access list statements operate in
sequential, logical order. They evaluate packets from the top down. If
a packet header and access list statement match, the packet skips the
rest of the statements. If a condition match is true, the packet is
permitted or denied. There can be only one access list per protocol,
per interface, per direction.
In the figure, for instance, by matching the first test, a packet is
denied access to destination interfaces. It will be discarded and
dropped into the bit bucket. The packet is not exposed to any access
list tests that follow.
Only if the packet does not match
conditions of the first test will it drop to the next access list
statement. Assume a different packet's parameters match the next test,
a permit statement; the permitted packet proceeds to the destination
interface. If another packet does not match the conditions of the
first or second test, but does match conditions of the next access
list statement, a permit results.
NOTE: For logical completeness,
an access list must have conditions that test true for all packets
using the access list. A final implied statement covers all packets
for which conditions did not test true. This final test condition
matches all other packets. It results in a deny. Instead of proceeding
in or out an interface, all these remaining packets are dropped.
|