[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Access list
I forgot to CC the group. I only answered in private. For those
interested, please read on...
: Since I want to block 50 - 58 can I don something like this
:
: access-list 101 deny ip 192.168.33.50 0.0.0.7 any
: access-list 101 deny ip 192.168.33.58 any
No. put your numbers in binary:
50 = 00110010
when you make contigious ones at the end you can only get:
00110011 which is 51
so you can only write:
access-list 101 deny ip 192.168.33.50 0.0.0.1 any
Then you must start on 52:
52 = 00110100
making contigious ones you can only get to:
00110111 which is 55
so you can only write:
access-list 101 deny ip 192.168.33.52 0.0.0.3 any
Then you must start on 56:
56 = 00111000
You could go all the way to:
00111111 which is 63, but you only want to go to 58. So to make
contigious ones you'd look at the following:
00111001 which is 57
00111011 which is 59
You don't want to block 59, so you must use the 57
So you'd write:
access-list 101 deny ip 192.168.33.56 0.0.0.1 any
Now you must block 58:
access-list 101 deny ip 192.168.33.58 any
Always look at the numbers in binary.
scott
On Tue, 18 Feb 2003, Collins Nweke wrote:
: Hello Scott,
:
: Since I want to block 50 - 58 can I don something like this
:
: access-list 101 deny ip 192.168.33.50 0.0.0.7 any
: access-list 101 deny ip 192.168.33.58 any
:
: Thanks
:
:
: -----Original Message-----
: From: Scott Weeks [mailto:surfer at mauigateway.com]
: Sent: Tuesday, February 18, 2003 7:27 PM
: To: Collins Nweke
: Cc: afnog at afnog.org
: Subject: Re: Access list
:
:
:
:
: You can only do it in groups of 1, 3, 7, 15, etc. Look at your numbers
: in binary. The exact match must be contigious ones in binary.
:
: binary decimal
: number number
:
: 1 1
: 11 3
: 111 7
: 1111 15
: 11111 31
: 111111 63
: 1111111 127
: 11111111 255
:
: So all you can use for the exact match is:
:
: 0.0.0.1
: 0.0.0.3
: 0.0.0.7
: etc...
:
:
: For your case you'd need the following:
:
: access-list 101 deny ip 192.168.33.50 0.0.0.1 any
: access-list 101 deny ip 192.168.33.52 0.0.0.3 any
: access-list 101 deny ip 192.168.33.56 0.0.0.1 any
: access-list 101 deny ip 192.168.33.58 any
:
: scott
:
:
:
:
: On Tue, 18 Feb 2003, Collins Nweke wrote:
:
: : Hi all,
: :
: : I assume that if I enter this access-list command below, it should
: block
: : traffic from 192.168.33.50 - 192.168.33.58,
: :
: : !
: : interface ethernet 0
: : ip access-group 101 out
: : !
: : access-list 101 deny ip 192.168.33.50 0.0.0.8 any
: : access-list 101 permit ip any any
: : !
: :
: : but on the contrary it shows up in the 'sh config' as, that is
: counting
: : backwards from the 50 I specified to mean 192.168.33.42 -
: 192.168.33.50
: :
: : !
: : interface ethernet 0
: : ip access-group 101 out
: : !
: : access-list 101 deny ip 192.168.33.42 0.0.0.8 any
: : access-list 101 permit ip any any
: : !
: :
: :
: : And even after doing that, it blocks traffic only from .42 and .50
: (that
: : is the first and the last). Can anyone explain the usage better? That
: : is, how exactly can I use access-lists to deny communication with
: : another ip
: :
: : Thanks
: :
: : O.
: :
: :
:
:
: -----
: This is the afnog mailing list, managed by Majordomo 1.94.5
:
: To send a message to this list, e-mail afnog at afnog.org
: To send a request to majordomo, e-mail majordomo at afnog.org and put your
: request in the body of the message (i.e use "help" for help)
:
: This list is maintained by owner-afnog at afnog.org
:
:
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org