RE: Access list

["Mark Tinka" <mtinka at africaonline.co.ug>]

Well, if you want to specify part of a network, you can use this simple
calculation:

Just say 255 - "the-fourth-octet-of-your-netmask". This would be typical of
a class C subnetting structure. The difference that you get, is what you use
in your access list to specify that network, and the hosts within it.

For instance, say you have a /26 network, and you need to allow outgoing
access to the Internet for that block only, through your serial interface. A
/26 has got 26 bits of subnetting, with all bits on [1] in the first 3
octets, and only 2 bits on in the fourth octet. This gives a netmask of
255.255.255.192 [24+2=26]. Typical subnets include 192.168.0.0/26,
192.168.0.64/26, 192.168.0.128/26 and 192.168.0.192/26, in a classfull
network. Each subnet provides up to 64 IP addresses, with 62 available for
valid host assignments.

Say you've subnetted all these networks on your router, but you want to deny
Internet access only to the second subnet, 192.168.0.64/26, you'd do
something like this.

255 - 192 = 63

Here, 192 is the host portion of your netmask. By subtracting it from 255,
you get 63, which is the fourth octet you specify in your access list that
identifies which part of your network to deny Internet access. The
configuration would, typically, be like this:

access-list 1 deny 192.168.0.64 0.0.0.63
access-list 1 permit any

Of course, you can do the same using extended IP access lists:

access-list 110 deny ip 192.168.0.64 0.0.0.63
access-list 110 permit ip any any

Then, apply the access list to your serial interface:

int s0
 ip access-group 1 out

        OR

int s0
 ip access-group 110 out

You can use this same practise/formula for any other network, when designing
subnet-based access lists. Simply subtract the host portion of your netmask
from 255.

If you need to be more specific than specifying a whole network, you can
simply go with what Joe suggested, down here.

Regards,

Mark Tinka - CCNA
Network Engineer
Africa Online Uganda
5th Floor, Commercial Plaza
7 Kampala Rd,
Tel:   +256-41-258143
Fax:   +256-41-258144
E-mail: mtinka at africaonline.co.ug
Web:     www.africaonline.co.ug



-----Original Message-----
From: owner-afnog at afnog.org [mailto:owner-afnog at afnog.org]On Behalf Of
Joe Abley
Sent: Wednesday, February 19, 2003 5:12 AM
To: Scott Weeks
Cc: Collins Nweke; afnog at afnog.org
Subject: Re: Access list



On Wednesday, Feb 19, 2003, at 04:01 Asia/Taipei, Scott Weeks wrote:

> Now you must block 58:
> access-list 101 deny ip 192.168.33.58 any

slight typo:

   access-list 101 deny ip 192.168.33.58 0.0.0.0 any

or

   access-list 101 deny ip host 192.168.33.58 any


Joe


-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org



-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org