[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Access list
You can only do it in groups of 1, 3, 7, 15, etc. Look at your numbers in
binary. The exact match must be contigious ones in binary.
binary decimal
number number
1 1
11 3
111 7
1111 15
11111 31
111111 63
1111111 127
11111111 255
So all you can use for the exact match is:
0.0.0.1
0.0.0.3
0.0.0.7
etc...
For your case you'd need the following:
access-list 101 deny ip 192.168.33.50 0.0.0.1 any
access-list 101 deny ip 192.168.33.52 0.0.0.3 any
access-list 101 deny ip 192.168.33.56 0.0.0.1 any
access-list 101 deny ip 192.168.33.58 any
scott
On Tue, 18 Feb 2003, Collins Nweke wrote:
: Hi all,
:
: I assume that if I enter this access-list command below, it should block
: traffic from 192.168.33.50 - 192.168.33.58,
:
: !
: interface ethernet 0
: ip access-group 101 out
: !
: access-list 101 deny ip 192.168.33.50 0.0.0.8 any
: access-list 101 permit ip any any
: !
:
: but on the contrary it shows up in the 'sh config' as, that is counting
: backwards from the 50 I specified to mean 192.168.33.42 - 192.168.33.50
:
: !
: interface ethernet 0
: ip access-group 101 out
: !
: access-list 101 deny ip 192.168.33.42 0.0.0.8 any
: access-list 101 permit ip any any
: !
:
:
: And even after doing that, it blocks traffic only from .42 and .50 (that
: is the first and the last). Can anyone explain the usage better? That
: is, how exactly can I use access-lists to deny communication with
: another ip
:
: Thanks
:
: O.
:
:
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org
- References:
- Access list
- From: "Collins Nweke" <collins at steineng.com>