ACL statements operate in sequential, logical order. They evaluate packets from the top down, one
statement at a time. If a packet header and an ACL statement match, the rest of the statements in
the list are skipped, and the packet is permitted or denied as determined by the matched statement.
If a packet header does not match an ACL statement, the packet is tested against the next statement
in the list. This matching process continues until the end of the list is reached. Figure 6-5 shows
the logical ?¬‚ow of statement evaluation.
Figure 6-5 ACL Evaluation
N
N
Match
Last
Test?
Match
Last
Test?
Match
Last
Test?
Packet
Discard
Bucket
Packets to Interface or
Interfaces in the Access Group
If No Match,
Deny All
Interface or
Interfaces
Implicit
Deny
Destination
Y Y
Y Y
Y Y
N
Deny
Deny
Permit Deny
Deny
Permit
Permit
Access Control List Operation 211
A ?¬?nal implied statement covers all packets for which conditions did not test true. This ?¬?nal test
condition matches all other packets and results in a ???deny??? instruction. Instead of proceeding into
or out of an interface, the router drops all of these remaining packets.
Pages:
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321