>Are you going from having NO filters at all to ONLY filtering bogus
>incoming packets? If so, then the access-list that you want is:
>access-list 111 deny ip xxx.zzz.yyy.0 0.0.0.255 0.0.0.0 255.255.255.255
>access-list 111 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
>This will allow ALL packets EXCEPT ones that have your IP addresses as the
>source address. I think the problem in your example is that, if there are
>any rules at all, and a packet matches none of them, Cisco does a default
>deny (which is the right thing to do).
That is correct but a little misleading. The access list rule is that
each line is processed from the top. The first line that matches the situation
is executed, the rest are skipped. Therefore if the address matches the
"deny", the "permit" would never execute. For that reason if the two lines
were reversed, the second line would *never* execute. I always suggest that
people make the last line in an ACL "deny everything" just in case.