[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Access list



Collins,


You can add one access-list per direction (in and out) and per
interface.


Regards

Benoit Lourdelet
Technical Marketing Engineer    Phone : +33 4 97 23 26 23         
IOS Technologies Division       FAX:    +33 4 97 23 28 09
Cisco Systems                   Mobile: +33 6 19 98 24 12




> -----Original Message-----
> From: Collins Nweke [mailto:collins at steineng.com] 
> Sent: Wednesday, February 19, 2003 12:42 AM
> To: mtinka at africaonline.co.ug; Joe Abley; Scott Weeks
> Cc: Collins Nweke; afnog at afnog.org
> Subject: RE: Access list
> 
> 
> Can't assign more than one access group to an interface? It seems to
> replace the existing one when I intend to add a new one!
> 
> Thanks
> 
> C.
> 
> 
> -----Original Message-----
> From: Mark Tinka [mailto:mtinka at africaonline.co.ug] 
> Sent: Wednesday, February 19, 2003 6:41 AM
> To: Joe Abley; Scott Weeks
> Cc: Collins Nweke; afnog at afnog.org
> Subject: RE: Access list
> 
> 
> Well, if you want to specify part of a network, you can use 
> this simple
> calculation:
> 
> Just say 255 - "the-fourth-octet-of-your-netmask". This would 
> be typical
> of a class C subnetting structure. The difference that you 
> get, is what
> you use in your access list to specify that network, and the hosts
> within it.
> 
> For instance, say you have a /26 network, and you need to 
> allow outgoing
> access to the Internet for that block only, through your serial
> interface. A /26 has got 26 bits of subnetting, with all bits 
> on [1] in
> the first 3 octets, and only 2 bits on in the fourth octet. 
> This gives a
> netmask of 255.255.255.192 [24+2=26]. Typical subnets include
> 192.168.0.0/26, 192.168.0.64/26, 192.168.0.128/26 and 
> 192.168.0.192/26,
> in a classfull network. Each subnet provides up to 64 IP 
> addresses, with
> 62 available for valid host assignments.
> 
> Say you've subnetted all these networks on your router, but 
> you want to
> deny Internet access only to the second subnet, 192.168.0.64/26, you'd
> do something like this.
> 
> 255 - 192 = 63
> 
> Here, 192 is the host portion of your netmask. By subtracting it from
> 255, you get 63, which is the fourth octet you specify in your access
> list that identifies which part of your network to deny 
> Internet access.
> The configuration would, typically, be like this:
> 
> access-list 1 deny 192.168.0.64 0.0.0.63
> access-list 1 permit any
> 
> Of course, you can do the same using extended IP access lists:
> 
> access-list 110 deny ip 192.168.0.64 0.0.0.63
> access-list 110 permit ip any any
> 
> Then, apply the access list to your serial interface:
> 
> int s0
>  ip access-group 1 out
> 
>         OR
> 
> int s0
>  ip access-group 110 out
> 
> You can use this same practise/formula for any other network, when
> designing subnet-based access lists. Simply subtract the host 
> portion of
> your netmask from 255.
> 
> If you need to be more specific than specifying a whole 
> network, you can
> simply go with what Joe suggested, down here.
> 
> Regards,
> 
> Mark Tinka - CCNA
> Network Engineer
> Africa Online Uganda
> 5th Floor, Commercial Plaza
> 7 Kampala Rd,
> Tel:   +256-41-258143
> Fax:   +256-41-258144
> E-mail: mtinka at africaonline.co.ug
> Web:     www.africaonline.co.ug
> 
> 
> 
> -----Original Message-----
> From: owner-afnog at afnog.org [mailto:owner-afnog at afnog.org]On Behalf Of
> Joe Abley
> Sent: Wednesday, February 19, 2003 5:12 AM
> To: Scott Weeks
> Cc: Collins Nweke; afnog at afnog.org
> Subject: Re: Access list
> 
> 
> 
> On Wednesday, Feb 19, 2003, at 04:01 Asia/Taipei, Scott Weeks wrote:
> 
> > Now you must block 58:
> > access-list 101 deny ip 192.168.33.58 any
> 
> slight typo:
> 
>    access-list 101 deny ip 192.168.33.58 0.0.0.0 any
> 
> or
> 
>    access-list 101 deny ip host 192.168.33.58 any
> 
> 
> Joe
> 
> 
> -----
> This is the afnog mailing list, managed by Majordomo 1.94.5
> 
> To send a message to this list, e-mail afnog at afnog.org
> To send a request to majordomo, e-mail majordomo at afnog.org 
> and put your
> request in the body of the message (i.e use "help" for help)
> 
> This list is maintained by owner-afnog at afnog.org
> 
> 
> 
> -----
> This is the afnog mailing list, managed by Majordomo 1.94.5
> 
> To send a message to this list, e-mail afnog at afnog.org
> To send a request to majordomo, e-mail majordomo at afnog.org 
> and put your
> request in the body of the message (i.e use "help" for help)
> 
> This list is maintained by owner-afnog at afnog.org
> 
> 
> -----
> This is the afnog mailing list, managed by Majordomo 1.94.5
> 
> To send a message to this list, e-mail afnog at afnog.org
> To send a request to majordomo, e-mail majordomo at afnog.org and put
> your request in the body of the message (i.e use "help" for help)
> 
> This list is maintained by owner-afnog at afnog.org
> 
> 

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org