[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Access list
Collins,
You can add one access-list per direction (in and out) and per
interface.
Regards
Benoit Lourdelet
Technical Marketing Engineer Phone : +33 4 97 23 26 23
IOS Technologies Division FAX: +33 4 97 23 28 09
Cisco Systems Mobile: +33 6 19 98 24 12
> -----Original Message-----
> From: Collins Nweke [mailto:collins at steineng.com]
> Sent: Wednesday, February 19, 2003 12:42 AM
> To: mtinka at africaonline.co.ug; Joe Abley; Scott Weeks
> Cc: Collins Nweke; afnog at afnog.org
> Subject: RE: Access list
>
>
> Can't assign more than one access group to an interface? It seems to
> replace the existing one when I intend to add a new one!
>
> Thanks
>
> C.
>
>
> -----Original Message-----
> From: Mark Tinka [mailto:mtinka at africaonline.co.ug]
> Sent: Wednesday, February 19, 2003 6:41 AM
> To: Joe Abley; Scott Weeks
> Cc: Collins Nweke; afnog at afnog.org
> Subject: RE: Access list
>
>
> Well, if you want to specify part of a network, you can use
> this simple
> calculation:
>
> Just say 255 - "the-fourth-octet-of-your-netmask". This would
> be typical
> of a class C subnetting structure. The difference that you
> get, is what
> you use in your access list to specify that network, and the hosts
> within it.
>
> For instance, say you have a /26 network, and you need to
> allow outgoing
> access to the Internet for that block only, through your serial
> interface. A /26 has got 26 bits of subnetting, with all bits
> on [1] in
> the first 3 octets, and only 2 bits on in the fourth octet.
> This gives a
> netmask of 255.255.255.192 [24+2=26]. Typical subnets include
> 192.168.0.0/26, 192.168.0.64/26, 192.168.0.128/26 and
> 192.168.0.192/26,
> in a classfull network. Each subnet provides up to 64 IP
> addresses, with
> 62 available for valid host assignments.
>
> Say you've subnetted all these networks on your router, but
> you want to
> deny Internet access only to the second subnet, 192.168.0.64/26, you'd
> do something like this.
>
> 255 - 192 = 63
>
> Here, 192 is the host portion of your netmask. By subtracting it from
> 255, you get 63, which is the fourth octet you specify in your access
> list that identifies which part of your network to deny
> Internet access.
> The configuration would, typically, be like this:
>
> access-list 1 deny 192.168.0.64 0.0.0.63
> access-list 1 permit any
>
> Of course, you can do the same using extended IP access lists:
>
> access-list 110 deny ip 192.168.0.64 0.0.0.63
> access-list 110 permit ip any any
>
> Then, apply the access list to your serial interface:
>
> int s0
> ip access-group 1 out
>
> OR
>
> int s0
> ip access-group 110 out
>
> You can use this same practise/formula for any other network, when
> designing subnet-based access lists. Simply subtract the host
> portion of
> your netmask from 255.
>
> If you need to be more specific than specifying a whole
> network, you can
> simply go with what Joe suggested, down here.
>
> Regards,
>
> Mark Tinka - CCNA
> Network Engineer
> Africa Online Uganda
> 5th Floor, Commercial Plaza
> 7 Kampala Rd,
> Tel: +256-41-258143
> Fax: +256-41-258144
> E-mail: mtinka at africaonline.co.ug
> Web: www.africaonline.co.ug
>
>
>
> -----Original Message-----
> From: owner-afnog at afnog.org [mailto:owner-afnog at afnog.org]On Behalf Of
> Joe Abley
> Sent: Wednesday, February 19, 2003 5:12 AM
> To: Scott Weeks
> Cc: Collins Nweke; afnog at afnog.org
> Subject: Re: Access list
>
>
>
> On Wednesday, Feb 19, 2003, at 04:01 Asia/Taipei, Scott Weeks wrote:
>
> > Now you must block 58:
> > access-list 101 deny ip 192.168.33.58 any
>
> slight typo:
>
> access-list 101 deny ip 192.168.33.58 0.0.0.0 any
>
> or
>
> access-list 101 deny ip host 192.168.33.58 any
>
>
> Joe
>
>
> -----
> This is the afnog mailing list, managed by Majordomo 1.94.5
>
> To send a message to this list, e-mail afnog at afnog.org
> To send a request to majordomo, e-mail majordomo at afnog.org
> and put your
> request in the body of the message (i.e use "help" for help)
>
> This list is maintained by owner-afnog at afnog.org
>
>
>
> -----
> This is the afnog mailing list, managed by Majordomo 1.94.5
>
> To send a message to this list, e-mail afnog at afnog.org
> To send a request to majordomo, e-mail majordomo at afnog.org
> and put your
> request in the body of the message (i.e use "help" for help)
>
> This list is maintained by owner-afnog at afnog.org
>
>
> -----
> This is the afnog mailing list, managed by Majordomo 1.94.5
>
> To send a message to this list, e-mail afnog at afnog.org
> To send a request to majordomo, e-mail majordomo at afnog.org and put
> your request in the body of the message (i.e use "help" for help)
>
> This list is maintained by owner-afnog at afnog.org
>
>
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org