31 Days Before Your CCNA Exam

280 31 Days Before Your CCNA ExamFigure 7-1ACL Interface Processing for Inbound and Outbound TrafficINBOUND TRAFFICOUTBOUND TRAFFICIncomingPacketDo routetable lookupPacketRoutable?NoDiscardICMP MessageACL oninterface?NoPERMITACL oninterface?NoPERMITYesYesMatchCondition?YesApplyConditionMatchCondition?YesApplyConditionCheck NextEntryNoCheck NextEntryNoYesMoreConditions?NoDENYICMP MessageYesMoreConditions?NoDENYICMP MessageFor inbound traffic, the router checks for an inbound ACL applied to the interface before doing aroute table lookup. Then, for outbound traffic, the router makes sure that a route exists to the destinationbefore checking for ACLs. Finally, if an ACL statement results in a dropped packet, therouter sends an ICMP destination unreachable message.Types of ACLsACLs can be configured to filter any type of protocol traffic including other network layerprotocols such as AppleTalk and IPX. For the CCNA exam, we focus on IPv4 ACLs, which comein the following types:■■Standard ACLs: Filters traffic based on source address onlyExtended ACLs: Can filter traffic based on source and destination address, specific protocols,as well as source and destination TCP and UDP portsYou can use two methods to identify both standard and extended ACLs:■■Numbered ACLs use a number for identification.Named ACLs use a descriptive name or number for identification.Although named ACLs must be used with some types of IOS configurations that are beyond thescope of the CCNA exam topics, they do provide two basic benefits:■By using a descriptive name (such as BLOCK-HTTP), a network administrator can morequickly determine the purpose of an ACL. This is particularly helpful in larger networkswhere a router can have many ACLs with hundreds of statements.