Access Lists
467
<400-499> XNS standard access list
<500-599> XNS extended access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list
By using the access-list numbers between 1 and 99, you tell the router that
you want to create a standard IP access list.
RouterA(config)#
access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
After you choose the access-list number, you need to decide if you are cre-
ating a permit or deny list. For this example, you will create a deny statement:
RouterA(config)#
access-list 10 deny ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
The next step requires a more detailed explanation. There are three options
available. You can use the
any
command to permit or deny any host or net-
work, you can use an IP address to specify or match a specific network or IP
host, or you can use the
host
command to specify a specific host only.
Here is an example of using the
host
command:
RouterA(config)#
access-list 10 deny host 172.16.30.2
This tells the list to deny any packets from host 172.16.30.2. The default
command is
host
. In other words, if you type
access-list
10
deny
172.16.30.2
, the router assumes you mean host 172.16.30.2.
However, there is another way to specify a specific host: you can use wild-
cards. In fact, to specify a network or a subnet, you have no option but to use
wildcards in the access list.
Wildcards
Wildcards are used with access lists to specify a host, network, or part of
a network. To understand a
wildcard
, you need to understand what a
block
size
is; these are used to specify a range of addresses. Some of the different
block sizes available are 64, 32, 16, 8, and 4.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com