RE: Access list

["Collins Nweke" <collins at steineng.com>]

Can't assign more than one access group to an interface? It seems to
replace the existing one when I intend to add a new one!

Thanks

C.


-----Original Message-----
From: Mark Tinka [mailto:mtinka at africaonline.co.ug] 
Sent: Wednesday, February 19, 2003 6:41 AM
To: Joe Abley; Scott Weeks
Cc: Collins Nweke; afnog at afnog.org
Subject: RE: Access list


Well, if you want to specify part of a network, you can use this simple
calculation:

Just say 255 - "the-fourth-octet-of-your-netmask". This would be typical
of a class C subnetting structure. The difference that you get, is what
you use in your access list to specify that network, and the hosts
within it.

For instance, say you have a /26 network, and you need to allow outgoing
access to the Internet for that block only, through your serial
interface. A /26 has got 26 bits of subnetting, with all bits on [1] in
the first 3 octets, and only 2 bits on in the fourth octet. This gives a
netmask of 255.255.255.192 [24+2=26]. Typical subnets include
192.168.0.0/26, 192.168.0.64/26, 192.168.0.128/26 and 192.168.0.192/26,
in a classfull network. Each subnet provides up to 64 IP addresses, with
62 available for valid host assignments.

Say you've subnetted all these networks on your router, but you want to
deny Internet access only to the second subnet, 192.168.0.64/26, you'd
do something like this.

255 - 192 = 63

Here, 192 is the host portion of your netmask. By subtracting it from
255, you get 63, which is the fourth octet you specify in your access
list that identifies which part of your network to deny Internet access.
The configuration would, typically, be like this:

access-list 1 deny 192.168.0.64 0.0.0.63
access-list 1 permit any

Of course, you can do the same using extended IP access lists:

access-list 110 deny ip 192.168.0.64 0.0.0.63
access-list 110 permit ip any any

Then, apply the access list to your serial interface:

int s0
 ip access-group 1 out

        OR

int s0
 ip access-group 110 out

You can use this same practise/formula for any other network, when
designing subnet-based access lists. Simply subtract the host portion of
your netmask from 255.

If you need to be more specific than specifying a whole network, you can
simply go with what Joe suggested, down here.

Regards,

Mark Tinka - CCNA
Network Engineer
Africa Online Uganda
5th Floor, Commercial Plaza
7 Kampala Rd,
Tel:   +256-41-258143
Fax:   +256-41-258144
E-mail: mtinka at africaonline.co.ug
Web:     www.africaonline.co.ug



-----Original Message-----
From: owner-afnog at afnog.org [mailto:owner-afnog at afnog.org]On Behalf Of
Joe Abley
Sent: Wednesday, February 19, 2003 5:12 AM
To: Scott Weeks
Cc: Collins Nweke; afnog at afnog.org
Subject: Re: Access list



On Wednesday, Feb 19, 2003, at 04:01 Asia/Taipei, Scott Weeks wrote:

> Now you must block 58:
> access-list 101 deny ip 192.168.33.58 any

slight typo:

   access-list 101 deny ip 192.168.33.58 0.0.0.0 any

or

   access-list 101 deny ip host 192.168.33.58 any


Joe


-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put your
request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org



-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put your
request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org


-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org