by an IP address, implies that exactly that IP address is matched. In other words, the any
keyword implies logic like a wildcard mask of 255.255.255.255, and the host keyword implies
logic like a wildcard mask of 0.0.0.0.
checking port numbers, the parameter on the access-list command checking the port checks the
source port number when placed immediately after the check of the source IP address.
Likewise, if the port parameter follows the check of the destination address, the logic matches
the destination port. For example, the command access-list 101 deny tcp any eq telnet any
matches all packets that use TCP and whose source TCP port is 23 (Telnet). Likewise, the
access-list 101 deny tcp any any eq telnet matches all packets that use TCP and whose
destination TCP port is 23 (Telnet).
shows the use of extended IP access lists. The criteria for this first example use the same criteria
as in the standard access list example:
the standard access list configuration in Examples 7-1 and 7-2. The issue of having packets
routed around the access list is already taken care of because the access lists are enabled for
output packets on both serial interfaces. Also, most of the packets are filtered at the router
nearest the source of the packets, which reduces network overhead. Access lists could have been
added at Seville as well, to deny the packets originating from Seville's Ethernet.
ip access-group 110
!
interface serial 1
ip access-group 110
!
access-list 110 deny ip host 10.1.2.1 10.1.1.0 0.0.0.255
access-list 110 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 110 permit ip any any