matching Grigory to permit his traffic and denying packets from 210.1.1.0 is all that is needed
for the first two criteria. A "permit all" needs to be explicitly configured at the end of the list.
The problem with list 43 is that if the link from Barnaul to Gorno goes down, and if Gorno
learns a route to Barnaul's subnets via Nova, Nova will be filtering all inbound packets from
(non-Grigory) Gorno hosts. A better list would be to use an extended access-list, matching both
the source and the destination addresses. access-list 143 also is shown in Example 7-21, which
would avoid the problem seen in access-list 43. (access-list 43 is enabled in the example.)
Examples 7-22 and 7-23 attempt to filter packets as close to the source of the packet as possible.
It is impossible to determine whether your correct solution is better than the one given here, or
vice versa, without more information about traffic loads and business needs in the network.
Comments shown inside the configurations in Example 7-22 and Example 7-23 provide most
of the detailed commentary.
access-list 43 deny 210.1.1.0 0.0.0.255
access-list 43 permit any
!
access-list 143 permit ip host 210.1.1.1 198.1.1.0 0.0.0.255
access-list 143 deny ip 210.1.1.0 0.0.0.255 198.1.1.0 0.0.0.255
access-list 143 permit ip any any
!
interface serial 0
ip access-group 43 in
!
interface serial 1
ip access-group 43 in
access-list 101 deny ip 10.1.4.0 0.0.0.255 210.1.1.0 0.0.0.255
! next statement meets criteria 4
access-list 101 deny ip host 10.1.4.98 any
! Criterion 5 met in the next statement
access-list 101 permit ip any any