Applying Access Control to Router Interfaces
Using ACLs Alone to Configure Access Control
5-16
In Figure 5-4, for example, the device with the IP address 168.44.1.10 is trying
to send a packet to a device on the LAN attached to Router A. The network
administrator has configured a standard ACL called WAN and assigned this
ACL to incoming traffic on the PPP 1 interface.
ip access-list standard WAN
deny host 192.168.115.91
deny host 192.168.44.53
permit 192.168.115.0 0.0.0.255
permit 192.168.44.0 0.0.0.255
Router A
Core Switch
no match
no match
no match
Implicit
Packet is denied
Figure 5-4. Processing Entries in an ACL
When the device with the IP address 172.16.1.10 sends a packet to the LAN
that is connected to Router A, Router A begins to check the entries in the WAN
ACL to determine if the packet is allowed.
Router A checks the first entry, but the packet from 172.16.1.10 does not match
this entry. Router A then checks the second entry, but again the packet from
172.16.1.10 does not match the entry. Next, the Router A checks entry three,
and the packet does not match that entry. Nor does the packet match the fourth
entry.
However, the packet does match the implicit "deny any" at the end of the ACL.
As a result, the packet is denied.
PPP 1
Router B
interface ppp 1
ip access-group WAN in
ip access-list standard WAN
1
deny host 192.168.115.91
2
deny host 192.168.44.53
3
permit 192.168.115.0 0.0.0.255
4
permit 192.168.44.0 0.0.0.255
deny any
at end of list
172.16.1.10