[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Access list
Yes, you can't assign more than one access list to the same interface in the
same direction.
Here I mean, you can have one that says "ip access-group out" and another
that says "ip access-group in" on the same interface. But you can't have
more than one access list pointing in the same direction, on the same
interface. Cisco IOS does not support that.
To circumvent this, you may use extended IP named access lists. Here's an
example
ip access-list extended No_Internet_Access
deny ip 192.168.0.64 0.0.0.63 any
permit ip any any
What this does is it provides an area where you can place all your access
list requirements for your direction. It's like putting several access lists
in the same direction on a single interface.
Please note that the name of the access list is No_Internet_Access, and this
is just my example; it can be any name you want.
Apply it to the interface as you would a normal IP access list:
int s0
ip access-group No_Internet_Access out
Remember to specify the name in the same case as you made it. IOS will
search for that specifically.
Regards,
Mark Tinka - CCNA
Network Engineer
Africa Online Uganda
5th Floor, Commercial Plaza
7 Kampala Rd,
Tel: +256-41-258143
Fax: +256-41-258144
E-mail: mtinka at africaonline.co.ug
Web: www.africaonline.co.ug
-----Original Message-----
From: owner-afnog at afnog.org [mailto:owner-afnog at afnog.org]On Behalf Of
Collins Nweke
Sent: Wednesday, February 19, 2003 11:42 AM
To: mtinka at africaonline.co.ug; Joe Abley; Scott Weeks
Cc: Collins Nweke; afnog at afnog.org
Subject: RE: Access list
Can't assign more than one access group to an interface? It seems to
replace the existing one when I intend to add a new one!
Thanks
C.
-----Original Message-----
From: Mark Tinka [mailto:mtinka at africaonline.co.ug]
Sent: Wednesday, February 19, 2003 6:41 AM
To: Joe Abley; Scott Weeks
Cc: Collins Nweke; afnog at afnog.org
Subject: RE: Access list
Well, if you want to specify part of a network, you can use this simple
calculation:
Just say 255 - "the-fourth-octet-of-your-netmask". This would be typical
of a class C subnetting structure. The difference that you get, is what
you use in your access list to specify that network, and the hosts
within it.
For instance, say you have a /26 network, and you need to allow outgoing
access to the Internet for that block only, through your serial
interface. A /26 has got 26 bits of subnetting, with all bits on [1] in
the first 3 octets, and only 2 bits on in the fourth octet. This gives a
netmask of 255.255.255.192 [24+2=26]. Typical subnets include
192.168.0.0/26, 192.168.0.64/26, 192.168.0.128/26 and 192.168.0.192/26,
in a classfull network. Each subnet provides up to 64 IP addresses, with
62 available for valid host assignments.
Say you've subnetted all these networks on your router, but you want to
deny Internet access only to the second subnet, 192.168.0.64/26, you'd
do something like this.
255 - 192 = 63
Here, 192 is the host portion of your netmask. By subtracting it from
255, you get 63, which is the fourth octet you specify in your access
list that identifies which part of your network to deny Internet access.
The configuration would, typically, be like this:
access-list 1 deny 192.168.0.64 0.0.0.63
access-list 1 permit any
Of course, you can do the same using extended IP access lists:
access-list 110 deny ip 192.168.0.64 0.0.0.63
access-list 110 permit ip any any
Then, apply the access list to your serial interface:
int s0
ip access-group 1 out
OR
int s0
ip access-group 110 out
You can use this same practise/formula for any other network, when
designing subnet-based access lists. Simply subtract the host portion of
your netmask from 255.
If you need to be more specific than specifying a whole network, you can
simply go with what Joe suggested, down here.
Regards,
Mark Tinka - CCNA
Network Engineer
Africa Online Uganda
5th Floor, Commercial Plaza
7 Kampala Rd,
Tel: +256-41-258143
Fax: +256-41-258144
E-mail: mtinka at africaonline.co.ug
Web: www.africaonline.co.ug
-----Original Message-----
From: owner-afnog at afnog.org [mailto:owner-afnog at afnog.org]On Behalf Of
Joe Abley
Sent: Wednesday, February 19, 2003 5:12 AM
To: Scott Weeks
Cc: Collins Nweke; afnog at afnog.org
Subject: Re: Access list
On Wednesday, Feb 19, 2003, at 04:01 Asia/Taipei, Scott Weeks wrote:
> Now you must block 58:
> access-list 101 deny ip 192.168.33.58 any
slight typo:
access-list 101 deny ip 192.168.33.58 0.0.0.0 any
or
access-list 101 deny ip host 192.168.33.58 any
Joe
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put your
request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put your
request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org