command, no packets are filtered due to the ip access-group command. After the access list's
first command is configured, the IOS implements the access list's logic. This is true of IP
standard access lists as well as extended and named access lists. Access lists that filter other
types of packets follow this same logic.
access lists. (vty is used for Telnet access to and from the IOS.) The inbound case is the more
obvious case. For instance, imagine that only hosts in subnet 10.1.1.0/24 were supposed to be
capable of telnetting into any of the Cisco routers in a network. In such a case, the configuration
in Example 7-10 could be used on each router to deny access from IP addresses not in that one
subnet.
deny ip host 10.1.1.130 host 10.1.3.2
deny ip host 10.1.1.28 host 10.1.3.2
permit ip any any
Router#conf t
Enter configuration commands, one per line. End with Ctrl-Z.
Router(config)#ip access-list extended barney
Router(config-ext-nacl)#no permit ip any any
Router(config-ext-nacl)#no deny ip host 10.1.1.130 host 10.1.3.2
Router(config-ext-nacl)#no deny ip host 10.1.1.28 host 10.1.3.2
Router(config-ext-nacl)#deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
Router(config-ext-nacl)#deny ip host 10.1.1.130 host 10.1.3.2
Router(config-ext-nacl)#deny ip host 10.1.1.28 host 10.1.3.2
Router(config-ext-nacl)#permit ip any any
Router(config-ext-nacl)#^Z
Router#sh ip access-list
permit tcp host 10.1.1.2 eq www any
deny udp host 10.1.1.1 0.0.0.128 255.255.255.127
deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
deny ip host 10.1.1.130 host 10.1.3.2
deny ip host 10.1.1.28 host 10.1.3.2
permit ip any any