470
Chapter 9
Managing Traffic with Access Lists
F I G U R E 9 . 1
IP access list example with three LANs and a WAN connection
On the Acme router, the following standard IP access list is applied:
Acme#
config t
Acme(config)#
access-list 10 deny 172.16.40.0 0.0.0.255
Acme(config)#access-list 10 permit any
It is very important to understand that the any command is the same thing
as saying this:
Acme(config)#access-list 10 permit 0.0.0.0
255.255.255.255
At this point, the access list is denying the Sales LAN and allowing
everyone else. But where should this access list be placed? If you place it as
an incoming access list on E2, you might as well shut down the Ethernet
interface because all of the Sales LAN devices are denied access to all net-
works attached to the router. The best place to put this router is the E0
interface as an outbound list.
Acme(config)#int e0
Acme(config-if)#ip access-group 10 out
This completely stops network 172.16.40.0 from getting out Ethernet 0,
but it can still access the Marketing LAN and the Internet.
S0
E1
E2
E0
Server
172.16.10.5
Internet
Marketing
172.16.30.0
Sales
172.16.40.0
Finance
172.16.10.0
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com