486 Chapter 7: Understanding Access List Security
The most useful extended access list feature that is not supported by standard access lists is the
network wildcard mask. Figure 7-10 and Example 7-13 provide a sample to show when this
mask is useful. The access list is configured in R2. The criteria for this packet filter is as follows:
1
Clients in networks 100 and 101 are allowed access to Server 3 and Server 4.
2
Clients in network 300 are not allowed to access Server 1 and Server 2.
Figure 7-10
IPX Extended Access List Example
Example 7-13
R2 Configuration for Extended IPX Access Lists
hostname R2
!
ipx routing 0200.2222.2222
!
interface serial0
ip address 10.1.1.2 255.255.255.0
ipx network 200
ipx access-group 910
!
interface ethernet 0
ip address 10.1.100.2 255.255.255.0
ipx network 100
!
interface ethernet 1
ip address 10.1.101.2 255.255.255.0
ipx network 101
!
access-list 910 deny any 1000 0000000F
access-list 910 permit any -1
Server 3
Server 4
300
101
1001
Server 1
Client 1
R1
R2
s0
s0
200
Server 2
Client 2
100
1000
e0
e1
ch07.fm Page 486 Monday, March 20, 2000 5:14 PM