Re: Easier way to do Access-lists

[Kevin L. Kultgen]

Title: Easier way to do Access-lists

how about:   access-list 111 deny    ip 211.0.0.0 0.255.255.255 any log access-list 111 deny    ip 212.0.0.0 0.255.255.255 any log access-list 111 permit ip any any   This would still allow your 214.3.1.50 host to have it's access.  The two denies CAN be put togther into a single statement using:   access-list 111 deny    ip 207.0.0.0 7.255.255.255 any log   but as you can see it is horribly inefficient as it will deny 207 to 215....  The 211/212 combination are in different subents for a 3.255.255.255.255 wildcard....   Comment:  Looks like the 214.3.1.50 host is your SNMP Server.  Your existing ACL at first glance appears to be isolating this Server...  but then the bottom line hits and your still allowing all access.... Your first 6 permit statements are useless.....   HTH Kevin L. Kultgen MCSE+I, MCDBA, CCNA, CNX-A, A+, Network+, i-Net+/CIW IRIS Systems Inc,  MCSP Calgary, Alberta ----- Original Message ----- From: "Deloso, Elmer G." Newsgroups: groupstudy.cisco Sent: Thursday, August 17, 2000 11:58 AM Subject: Easier way to do Access-lists Hi, group. Below is a sample ACL, and I need to find out if there's an easier way to input these seemingly redundant entries. Thanks. access-list 111 permit tcp host 214.3.1.50 any range 6000 6063 log access-list 111 permit tcp any host 214.3.1.50 range 6000 6063 log access-list 111 permit tcp host 214.3.1.50 any eq 161 log access-list 111 permit tcp any host 214.3.1.50 eq 161 log access-list 111 permit udp host 214.3.1.50 any eq 161 log access-list 111 permit tcp any host 214.3.1.50 eq 161 log access-list 111 deny    ip 211.0.0.0 0.255.255.255 any log access-list 111 deny    ip 212.0.0.0 0.255.255.255 any log access-list 111 permit ip any any Elmer