Chapter 9 began with an overview of the purpose of Cisco IOS access lists, and their role in filtering network traffic. This included a look at the order in which access lists are evaluated, the different types of access lists that exist (standard and extended), as well as the different ways in which access list are applied to router interfaces (inbound and outbound). The implicit “deny all” statement at the end of every access list was also discussed.
A look at standard IP access lists outlined their ability to filter traffic based on the source IP address of a packet. The access-list command was introduced for the purpose of adding entries to an access list, as was the access-group command, which is used to standard and extended access lists to an interface. A look at wildcard masking explained how groups of computers could be specified within an access list. An overview of extended IP access lists provided perspective on the more granular level of filtering control that these access list provide – by source and destination IP address, as well as by protocol and port number. The ability to monitor IP access lists was examined by looking at the command used to view access lists defined on the router, as well as those applied to interfaces.
IPX standard and extended access list were looked at next. Standard IPX access lists can filter traffic by source or destination address. Extended IPX lists provide a finer level of control, allowing traffic to be filtered by protocol and socket number if necessary. An overview of IPX SAP access lists showed how SAP traffic could be filtered on a router according to a source address, service type code, and even a server name. The difference between the input-sap-filter and output-sap-filter commands used to apply SAP access lists to interfaces was also discussed.