Page 495

Filtering IP Traffic 471

The access lists on Yosemite and Seville are almost identical; each is focused on the first three
criteria. List 110 is used as outbound access-lists on the Yosemite and Seville links connected
to Albuquerque. The first three statements in list 110 in each router complete the first three
criteria for this example; the only difference is in the source and destination addresses used in
the third statement, which checks for the respective subnet numbers at each site.

Both Yosemite and Seville have a list 111 that is used on the link between the two. Each list 111
on Yosemite and Seville is identical to list 110, respectively, except that list 111 is missing one
statement. This missing statement (relative to list 110) is the one that meets criterion 3, which
states to not filter this traffic from going across the direct serial link; because list 111 is used on
that link, there is no need for the extra statement. The final statement in lists 110 and 111 in
Seville and Yosemite provide coverage for the fifth point of criteria for this example, allowing
all other packets to flow.

The second access list statement in each list 110 and 111 on Seville and Yosemite is trickier than
you will see on the CCNA exam. This example is indicative of the types of nuances that you
might see on the CCNP and CCIE exams. The mask has only one binary 0 in it, in bit 25 (the
first bit in the last byte). The corresponding bit in the address has value 1; in decimal, the
address and mask imply addresses whose fourth byte is between 128 and 255, inclusive.
Regardless of subnet number, hosts in the upper half of the assignable addresses in each subnet
are matched with this combination. (Note: Because the subnet mask is 255.255.255.0, all host
addresses in the upper half of the address range are between 128254 in the last octet.)

Three major problems exist when using extensive detailed criteria for access lists. First, the
criteria is open to interpretation. Many people tend to create the lists to match the order in which
each point of the criteria are written; no attempt at optimization is made. Finally, the lists are
easy to create in such a way that the criteria is not actually accomplished, as in extended IP
access list example 2.

Example 7-7

Albuquerque Configuration for Extended Access List, Example 2

interface serial 0
ip access-group 112
!
interface serial 1
ip access-group 112
!
! Criterion 4 met with next four statements
access-list 112 deny ip host 10.1.1.130 host 10.1.3.2
access-list 112 deny ip host 10.1.1.28 host 10.1.3.2
access-list 112 permit ip host 10.1.1.130 any
access-list 112 permit ip host 10.1.1.28 any
! Criterion 5 met with next statement
access-list 112 permit ip any any

ch07.fm Page 471 Monday, March 20, 2000 5:14 PM