this is shorter but would deny traffice that was originally permitted -
from hosts on 211 & 212 to 214.3.1.50 using the specified protocols & ports - assuming
that's really what you are trying to accomplish
remember the general rule for access lists of least specific to most specific
on the 1st 6 lines though, 3 have 214.3.1.50 as source, 3 have it as destination.
Assuming you're only going to apply the list to an interface in one direction, half of
those lines are useless.
Also, in a production environment, you have to remember it's not how long it takes to
type the list that's important, it's how long most packets take to find a match in the
list that affects performance.
>>> "Kevin L. Kultgen" <[EMAIL PROTECTED]> 08/17 11:22 AM >>>
Easier way to do Access-listshow about:
access-list 111 deny ip 211.0.0.0 0.255.255.255 any log
access-list 111 deny ip 212.0.0.0 0.255.255.255 any log
access-list 111 permit ip any any
This would still allow your 214.3.1.50 host to have it's access. The two denies CAN
be put togther into a single statement using:
access-list 111 deny ip 207.0.0.0 7.255.255.255 any log
but as you can see it is horribly inefficient as it will deny 207 to 215.... The
211/212 combination are in different subents for a 3.255.255.255.255 wildcard....
Comment: Looks like the 214.3.1.50 host is your SNMP Server. Your existing ACL at
first glance appears to be isolating this Server... but then the bottom line hits and
your still allowing all access.... Your first 6 permit statements are useless.....
HTH
Kevin L. Kultgen
MCSE+I, MCDBA, CCNA, CNX-A, A+, Network+, i-Net+/CIW
IRIS Systems Inc, MCSP
Calgary, Alberta
----- Original Message -----
From: "Deloso, Elmer G."
Newsgroups: groupstudy.cisco
Sent: Thursday, August 17, 2000 11:58 AM
Subject: Easier way to do Access-lists
Hi, group.
Below is a sample ACL, and I need to find out if there's an easier way to input
these seemingly redundant entries. Thanks.
access-list 111 permit tcp host 214.3.1.50 any range 6000 6063 log
access-list 111 permit tcp any host 214.3.1.50 range 6000 6063 log
access-list 111 permit tcp host 214.3.1.50 any eq 161 log
access-list 111 permit tcp any host 214.3.1.50 eq 161 log
access-list 111 permit udp host 214.3.1.50 any eq 161 log
access-list 111 permit tcp any host 214.3.1.50 eq 161 log
access-list 111 deny ip 211.0.0.0 0.255.255.255 any log
access-list 111 deny ip 212.0.0.0 0.255.255.255 any log
access-list 111 permit ip any any
Elmer
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
