[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Access list
- To: "Scott Weeks" <surfer at mauigateway.com>
- Subject: RE: Access list
- From: "Collins Nweke" <collins at steineng.com>
- Date: Tue, 18 Feb 2003 20:22:18 +0100
- Cc: <afnog at afnog.org>
- content-class: urn:content-classes:message
- Content-Transfer-Encoding: quoted-printable
- Content-Type: text/plain;charset="us-ascii"
- Delivered-To: afnog-archive at lists.eahd.or.ug
- Delivered-To: afnog-outgoing at afnog.org
- Delivered-To: afnog at afnog.org
- Sender: owner-afnog at afnog.org
- Thread-Index: AcLXfwjjBkaggpnxRByBuARU+jIYvwAA++YQ
- Thread-Topic: Access list
Hello Scott,
Since I want to block 50 - 58 can I don something like this
access-list 101 deny ip 192.168.33.50 0.0.0.7 any
access-list 101 deny ip 192.168.33.58 any
Thanks
-----Original Message-----
From: Scott Weeks [mailto:surfer at mauigateway.com]
Sent: Tuesday, February 18, 2003 7:27 PM
To: Collins Nweke
Cc: afnog at afnog.org
Subject: Re: Access list
You can only do it in groups of 1, 3, 7, 15, etc. Look at your numbers
in binary. The exact match must be contigious ones in binary.
binary decimal
number number
1 1
11 3
111 7
1111 15
11111 31
111111 63
1111111 127
11111111 255
So all you can use for the exact match is:
0.0.0.1
0.0.0.3
0.0.0.7
etc...
For your case you'd need the following:
access-list 101 deny ip 192.168.33.50 0.0.0.1 any
access-list 101 deny ip 192.168.33.52 0.0.0.3 any
access-list 101 deny ip 192.168.33.56 0.0.0.1 any
access-list 101 deny ip 192.168.33.58 any
scott
On Tue, 18 Feb 2003, Collins Nweke wrote:
: Hi all,
:
: I assume that if I enter this access-list command below, it should
block
: traffic from 192.168.33.50 - 192.168.33.58,
:
: !
: interface ethernet 0
: ip access-group 101 out
: !
: access-list 101 deny ip 192.168.33.50 0.0.0.8 any
: access-list 101 permit ip any any
: !
:
: but on the contrary it shows up in the 'sh config' as, that is
counting
: backwards from the 50 I specified to mean 192.168.33.42 -
192.168.33.50
:
: !
: interface ethernet 0
: ip access-group 101 out
: !
: access-list 101 deny ip 192.168.33.42 0.0.0.8 any
: access-list 101 permit ip any any
: !
:
:
: And even after doing that, it blocks traffic only from .42 and .50
(that
: is the first and the last). Can anyone explain the usage better? That
: is, how exactly can I use access-lists to deny communication with
: another ip
:
: Thanks
:
: O.
:
:
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put your
request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org