packets from Sam are filtered before leaving s0; likewise, in Seville, packets from 10.1.3.0/24
are filtered before leaving s1 toward Yosemite. However, if either link into Albuquerque fails,
the new route would leave an opening. For example, if the link from Albuquerque to Yosemite
fails, Yosemite would learn a route to 10.1.1.0/24 through Seville. Packets from Sam destined
for hosts in Albuquerque would leave Yosemite's s1 without being filtered.
been removed from Seville, and all filtering is performed on Yosemite.
more traffic than the first of the three criteria says it should! In many cases, the meaning of the
criteria for the access lists greatly affects your configuration choices. For example, Example
7-3 solved some of the problems of Example 7-2 by filtering packets from 10.1.2.1 (Sam) and
preventing them from exiting both of Yosemite's serial interfaces, keeping Sam from getting to
Albuquerque. However, that also prevents Sam from communicating with anyone outside
Yosemite. An alternative would be to use the same access-list 3 logic, but use it as an inbound
access-list on Albuquerque's serial interfaces.
criteria, however. Because the goal was to stop Seville hosts from communicating with
Yosemite's hosts, and because the only LAN hosts off Yosemite are the ones on the local
Ethernet, the access list is effective in stopping packets from exiting Ethernet 0.
ip access-group 4
!
access-list 4 deny 10.1.3.0 0.0.0.255
access-list 4 permit any
ip access-group 3
!
interface serial 1
ip access-group 3
!
interface ethernet 0
ip access-group 4
!
access-list 3 deny host 10.1.2.1
access-list 3 permit any
!
access-list 4 deny 10.1.3.0 0.0.0.255
access-list 4 permit any