Page 533

Answers to Scenario 7-3: IP Filtering Sample 3 509

Answers to Scenario 7-3: IP Filtering Sample 3

Many solutions could fulfill the criteria stipulated for this scenario. The solutions provided in
Examples 7-24 and 7-25 attempt to filter packets as close to the source of the packet as possible.
It is impossible to determine whether your correct solution is better than the one given here, or
vice versa, without more information about traffic loads and business needs in the network.
Comments shown inside the configurations in Example 7-24 and Example 7-25 provide most
of the detailed commentary.

interface serial 0
ip access-group 101
!
interface serial 1
ip access-group 101

Example 7-23

Scenario 7-2 Answer--Gorno Access List

! Next statements meet Criterion 2
access-list 101 deny ip host 210.1.1.1 198.1.1.0 0.0.0.255
access-list 101 deny ip host 210.1.1.2 198.1.1.0 0.0.0.255
! Next statement meets Criterion 3, but it's not required, due to the final
statement
access-list 101 permit ip 210.1.1.0 0.0.0.255 198.1.1.0 0.0.0.255
access-list 101 permit ip any any
!
interface serial 0
ip access-group 101
!
interface serial 1
ip access-group 101

Example 7-24

Scenario 7-3 Answer--Barnaul Access List

! Next statements meet Criterion 3
access-list 101 permit tcp host 10.1.4.98 198.1.1.0 0.0.0.255 eq www
access-list 101 deny tcp host 10.1.4.98 198.1.1.0.0.0.0.25 lt 1023
! Next statement meets Criterion 5, but it's not really needed
access-list 101 deny ip 10.1.4.0 0.0.0.255 198.1.1.0 0.0.0.255 eq www
! Criterion 6 is met in the default
!
interface serial 0
ip access-group 101
!
interface serial 1
ip access-group 101

Example 7-22

Scenario 7-2 Answer--Barnaul Access List (Continued)

ch07.fm Page 509 Monday, March 20, 2000 5:14 PM