Question 1: As John pointed out in Question 2, access lists in the range of
1-99 are reserved for IP standard access control lists and are to be used in
conjunction with the "ip access-group" statement. Access lists in the range
of 1-99 cannot be used in conjunction with the "ipx access-group"
statement--even though your router might permit you to enter the command
without returning an error message during the configuration. When you issue
a "show running-config" statement, the command will not appear in the
configuration. Other than that, your interpretation of the statement is
correct.
Question 2: You can re-use access lists numbers on the same, or on various
interfaces. For example, you could see this in a running-config:
interface ethernet 0
ip address 192.1.1.1 255.255.255.0
ip access-group 1 in
ip access-group 1 out
interface serial 0
ip address 172.16.1.1 255.255.0.0
ip access-group 1 in
ip access-group 1 out
The only other thing I'd point out, is that if you're going to specify IPX
access lists on an interface, don't forget to configure the IPX network
(command: "IPX network <net_address>") that is connected to the
interface--and of course, IPX routing (command: "IPX routing) must be
enabled before you can do this.
-- Leigh Anne
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Neiberger
Sent: February 7, 2001 10:24 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Access-List Statement Clearification Request
Comments inline.
>
> --- Start ---
> Statement: "You can only assign one access list per interface, per
> protocol, or per direction"
>
> Question 1: Would this be correct as to an overall general understanding
of
> this statement?
>
> interface ethernet 0
> ip address 192.1.1.1 255.255.255.0
> ip access-group 1 in
> ip access-group 2 out
> ipx access-group 3 in
> ipx access-group 4 out
>
Yes, this is correct.
> Question 2: Can this possibly imply the following:
> (intuition says not possible because there are duplicate access lists on
> the single interface)
>
> interface ethernet 0
> ip address 192.1.1.1 255.255.255.0
> ip access-group 1 in
> ip access-group 2 out
> ipx access-group 1 in
> ipx access-group 2 out
> --- Finish ---
This it not correct because access list numbers 1-99 are IP access lists.
They could not possibly be used in an IPX access group statement.
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
