Access Lists
469
RouterA(config)#
access-list 10 deny 172.16.0.0
0.0.255.255
Try to figure out this next line:
RouterA(config)#
access-list 10 deny 172.16.16.0 0.0.3.255
The above configuration tells the router to start at network 172.16.16.0
and use a block size of 4. The range would then be 172.16.16.0 through
172.16.19.0.
The example below shows an access list starting at 172.16.16.0 and going
up a block size of 8 to 172.16.23.0.
RouterA(config)#
access-list 10 deny 172.16.16.0 0.0.7.255
The next example starts at network 172.16.32.0 and goes up a block size
of 32 to 172.16.63.0.
RouterA(config)#
access-list 10 deny 172.16.32.0
0.0.31.255
The last example starts at network 172.16.64.0 and goes up a block size
of 64 to 172.16.127.0.
RouterA(config)#
access-list 10 deny 172.16.64.0
0.0.63.255
Here are two more things to keep in mind when working with block sizes
and wildcards:
Each block size must start at 0. For example, you can't say that you want
a block size of 8 and then start at 12. You must use 07, 815, 1623,
etc. For a block size of 32, the ranges are 031, 3263, 6495, etc.
The command
any
is the same thing as writing out the wildcard
0.0.0.0 255.255.255.255.
Standard IP Access List Example
In this section, you'll learn how to use a standard IP access list to stop certain
users from gaining access to the finance-department LAN.
In Figure 9.1, a router has three LAN connections and one WAN connec-
tion to the Internet. Users on the Sales LAN should not have access to the
Finance LAN, but they should be able to access the Internet and the market-
ing department. The Marketing LAN needs to access the Finance LAN for
application services.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com