[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Access list



That is system dependent. If you use UNIX/Linux, you can use any text
editor; Pico, Vi, Emacs e.t.c.

If you are using Windows, Notepad should be appropriate, after all, it's
simply a text file.

However, be careful when modifying the configuration in the file, as you
won't get any error messages if you misconfigure. You will only get them
after you try to copy the running-config to NVRAM, or when you reload the
router and it has to read it's startup-config file.

Regards,

Mark Tinka - CCNA
Network Engineer
Africa Online Uganda
5th Floor, Commercial Plaza
7 Kampala Rd,
Tel:   +256-41-258143
Fax:   +256-41-258144
E-mail: mtinka at africaonline.co.ug
Web:     www.africaonline.co.ug



-----Original Message-----
From: owner-afnog at afnog.org [mailto:owner-afnog at afnog.org]On Behalf Of
Collins Nweke
Sent: Wednesday, February 19, 2003 12:04 PM
To: Benoit Lourdelet (blourdel); Collins Nweke
Cc: afnog at afnog.org; mtinka at africaonline.co.ug; Joe Abley; Scott Weeks
Subject: RE: Access list


Thanks all!

One more question, when I upload my router's config details to a TFTP
server, is there any program or software that I can use to open and edit
the uploaded file from the TFTP location and then download it back into
the router - I mean not necessarily editing the config again on the
router!

Thanks

C.


-----Original Message-----
From: Benoit Lourdelet (blourdel) [mailto:blourdel at cisco.com]
Sent: Wednesday, February 19, 2003 9:31 AM
To: Collins Nweke
Cc: afnog at afnog.org; mtinka at africaonline.co.ug; Joe Abley; Scott Weeks
Subject: RE: Access list


Collins,


You can add one access-list per direction (in and out) and per
interface.


Regards

Benoit Lourdelet
Technical Marketing Engineer    Phone : +33 4 97 23 26 23
IOS Technologies Division       FAX:    +33 4 97 23 28 09
Cisco Systems                   Mobile: +33 6 19 98 24 12




> -----Original Message-----
> From: Collins Nweke [mailto:collins at steineng.com]
> Sent: Wednesday, February 19, 2003 12:42 AM
> To: mtinka at africaonline.co.ug; Joe Abley; Scott Weeks
> Cc: Collins Nweke; afnog at afnog.org
> Subject: RE: Access list
>
>
> Can't assign more than one access group to an interface? It seems to
> replace the existing one when I intend to add a new one!
>
> Thanks
>
> C.
>
>
> -----Original Message-----
> From: Mark Tinka [mailto:mtinka at africaonline.co.ug]
> Sent: Wednesday, February 19, 2003 6:41 AM
> To: Joe Abley; Scott Weeks
> Cc: Collins Nweke; afnog at afnog.org
> Subject: RE: Access list
>
>
> Well, if you want to specify part of a network, you can use
> this simple
> calculation:
>
> Just say 255 - "the-fourth-octet-of-your-netmask". This would
> be typical
> of a class C subnetting structure. The difference that you
> get, is what
> you use in your access list to specify that network, and the hosts
> within it.
>
> For instance, say you have a /26 network, and you need to
> allow outgoing
> access to the Internet for that block only, through your serial
> interface. A /26 has got 26 bits of subnetting, with all bits
> on [1] in
> the first 3 octets, and only 2 bits on in the fourth octet.
> This gives a
> netmask of 255.255.255.192 [24+2=26]. Typical subnets include
> 192.168.0.0/26, 192.168.0.64/26, 192.168.0.128/26 and
> 192.168.0.192/26,
> in a classfull network. Each subnet provides up to 64 IP
> addresses, with
> 62 available for valid host assignments.
>
> Say you've subnetted all these networks on your router, but
> you want to
> deny Internet access only to the second subnet, 192.168.0.64/26, you'd
> do something like this.
>
> 255 - 192 = 63
>
> Here, 192 is the host portion of your netmask. By subtracting it from
> 255, you get 63, which is the fourth octet you specify in your access
> list that identifies which part of your network to deny Internet
> access. The configuration would, typically, be like this:
>
> access-list 1 deny 192.168.0.64 0.0.0.63
> access-list 1 permit any
>
> Of course, you can do the same using extended IP access lists:
>
> access-list 110 deny ip 192.168.0.64 0.0.0.63
> access-list 110 permit ip any any
>
> Then, apply the access list to your serial interface:
>
> int s0
>  ip access-group 1 out
>
>         OR
>
> int s0
>  ip access-group 110 out
>
> You can use this same practise/formula for any other network, when
> designing subnet-based access lists. Simply subtract the host portion
> of your netmask from 255.
>
> If you need to be more specific than specifying a whole
> network, you can
> simply go with what Joe suggested, down here.
>
> Regards,
>
> Mark Tinka - CCNA
> Network Engineer
> Africa Online Uganda
> 5th Floor, Commercial Plaza
> 7 Kampala Rd,
> Tel:   +256-41-258143
> Fax:   +256-41-258144
> E-mail: mtinka at africaonline.co.ug
> Web:     www.africaonline.co.ug
>
>
>
> -----Original Message-----
> From: owner-afnog at afnog.org [mailto:owner-afnog at afnog.org]On Behalf Of

> Joe Abley
> Sent: Wednesday, February 19, 2003 5:12 AM
> To: Scott Weeks
> Cc: Collins Nweke; afnog at afnog.org
> Subject: Re: Access list
>
>
>
> On Wednesday, Feb 19, 2003, at 04:01 Asia/Taipei, Scott Weeks wrote:
>
> > Now you must block 58:
> > access-list 101 deny ip 192.168.33.58 any
>
> slight typo:
>
>    access-list 101 deny ip 192.168.33.58 0.0.0.0 any
>
> or
>
>    access-list 101 deny ip host 192.168.33.58 any
>
>
> Joe
>
>
> -----
> This is the afnog mailing list, managed by Majordomo 1.94.5
>
> To send a message to this list, e-mail afnog at afnog.org
> To send a request to majordomo, e-mail majordomo at afnog.org
> and put your
> request in the body of the message (i.e use "help" for help)
>
> This list is maintained by owner-afnog at afnog.org
>
>
>
> -----
> This is the afnog mailing list, managed by Majordomo 1.94.5
>
> To send a message to this list, e-mail afnog at afnog.org
> To send a request to majordomo, e-mail majordomo at afnog.org
> and put your
> request in the body of the message (i.e use "help" for help)
>
> This list is maintained by owner-afnog at afnog.org
>
>
> -----
> This is the afnog mailing list, managed by Majordomo 1.94.5
>
> To send a message to this list, e-mail afnog at afnog.org
> To send a request to majordomo, e-mail majordomo at afnog.org and put
> your request in the body of the message (i.e use "help" for help)
>
> This list is maintained by owner-afnog at afnog.org
>
>

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put your
request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org


-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org



-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org