[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Access list





You can only do it in groups of 1, 3, 7, 15, etc.  Look at your numbers in
binary.  The exact match must be contigious ones in binary.

binary          decimal
number          number

1               1
11              3
111             7
1111            15
11111           31
111111          63
1111111         127
11111111        255

So all you can use for the exact match is:

0.0.0.1
0.0.0.3
0.0.0.7
etc...


For your case you'd need the following:

access-list 101 deny ip 192.168.33.50 0.0.0.1 any
access-list 101 deny ip 192.168.33.52 0.0.0.3 any
access-list 101 deny ip 192.168.33.56 0.0.0.1 any
access-list 101 deny ip 192.168.33.58 any

scott




On Tue, 18 Feb 2003, Collins Nweke wrote:

: Hi all,
:
: I assume that if I enter this access-list command below, it should block
: traffic from 192.168.33.50 - 192.168.33.58,
:
: !
: interface ethernet 0
: ip access-group 101 out
: !
: access-list 101 deny ip 192.168.33.50 0.0.0.8 any
: access-list 101 permit ip any any
: !
:
: but on the contrary it shows up in the 'sh config' as, that is counting
: backwards from the 50 I specified to mean 192.168.33.42 - 192.168.33.50
:
: !
: interface ethernet 0
: ip access-group 101 out
: !
: access-list 101 deny ip 192.168.33.42 0.0.0.8 any
: access-list 101 permit ip any any
: !
:
:
: And even after doing that, it blocks traffic only from .42 and .50 (that
: is the first and the last). Can anyone explain the usage better? That
: is, how exactly can I use access-lists to deny communication with
: another ip
:
: Thanks
:
: O.
:
:


-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org