access-list

alimoe · August 2003

Configure an IP standard access list to prevent all machines on network 172.16.10.0 from accessing your Ethernet network...

Now i'm assuming the configuration would of been:

access-list 1 deny any 172.16.10.0 0.0.0.255
access-list 1 permit any

but it's really

access-list 1 deny 172.16.10.0 0.0.0.255
access-list 1 permit any

Now my question is if we're trying to prevent all machines on the network from accessing the network why wouldn't the any statement be used?? When should the any statement be used.... Thanks

Webmaster · August 2003

actually it is:

Router(config)#access-list 1 deny 172.16.10.0 0.0.0.255
Router(config)#access-list 1 permit any

and, for example on the router's Ethernet interface:

Router(config-if)#ip access-group 1 out

Now my question is if we're trying to prevent all machines on the network from accessing the network why wouldn't the any statement be used??

...not all machines, just those from the 172.16.10.0 255.255.255.0 network.

When should the any statement be used....

when you do want to prevent all machines, from all networks, to access your ethernet lan... (hence, in that case you woul use it instead of the IP address and wildcard mask...)

Todd1225 · August 2003

Just wanna throw some stuff in to help out!

Remember, standard access lists can only filter based on source address, and extended list must be used if you are filtering based on source and destination addresses.

If you are filtering based on a particular port, for instance to block ftp traffic you must use an extended list. You must also consider if this port is a udp or tcp port so it can be included in the list.

Although I didn't see if specifically stated in the Cisco Press Study Guide, the Cisco Academy Books state that you should place an extended list near the source and a standard near the destination. I personally would assume it depends on what traffic, etc you are trying to block, but that's Cisco's theory!

access-list

Comments