Access List Overview
An access list is a sequential list of statements against which a route is compared. Each entry in the list specifies the IP address or netmask of a network prefix and the forwarding status (whether to permit or deny the route).
For example, an entry in an access list can permit routes for the 18.104.22.168/24 subnetwork, while another entry in the same access list can deny routes for the 22.214.171.124/24 subnetwork. If a route matches an entry in the access list, the specified forwarding status is applied. If the two entries are in an access list, a route to the host at 126.96.36.199 is permitted, while the route to the host at 188.8.131.52 is denied.
You can also use access lists to control the flow of multicast control traffic. You can create an access list to restrict the multicast groups that hosts can join or the sources from which multicast traffic is received. After you create an access list, you can include it in a multicast rule.
The sequence of entries in an access list is important. A route is first compared to the entry in the access list with the lowest sequence number and then to other entries in ascending sequence number until there is a match. If there is a match, all subsequent entries in the access list are ignored. Therefore, you should sequence the more specific entries before less specific entries. For example, place the entry that denies routes for the 184.108.40.206/30 subnetwork before the entry that permits routes for the 220.127.116.11/24 subnetwork. On devices running ScreenOS 6.3, access list supports IPv6.
For instructions for configuring virtual router access lists, see the Network and Security Manager Online Help.