Alright,
Coming out of "lurker mode" . ;-)
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm#xtocid2185611
There are two and a half (2.5) answers at the bottom (in cut/paste mode)
pending further clarification:
Exclamation points are of course (of course!) comments and can be cut/pasted
as well
Also, a neat "trick" depending on where the router is located is to issue
the "reload" command prior to applying access-lists.
A simple "reload in 15" will reload the router in 15 minutes...so the steps
I use are:
1. reload in 15 (reload in mmm)
2. cut/paste access list
3. apply access list
4. ensure connectivity is still possible. Best to create an
ADDITIONAL telnet window.
5. ensure access list is doing whatever you believe it should be
doing
6. wr mem (habits die hard)(copy run start)
7. reload cancel
If you lose connectivity (Doh!) and can't get back in on #4, the reload will
take place, return you to the prior running config (you _didn't_ do "copy
run start" yet did you?, and wala! no 3 hour trip into Tokyo to console in.
;-)
HTH,
TroyC
==============================================
! Answer #1
access-list 15 permit ip 171.17.2.64 0.0.0.31
! dot31 is the mask for 64-95 (inverse of 224)
! The access list/class is unaware and therefore
! doesn't care what the original subnet mask applied
! This will also deny _EVERYONE_ else which may or
! may not be what you want
! Don't forget their is an explicit DENY at the end (not seen)
line vty 0 4
access-class 15 in
==============================================
! Answer #2
access-list 15 deny ip 171.17.2.96 0.0.0.31
access-list 15 permit ip any any
! dot31 is the mask for 96-127 (inverse of 224)
! This will deny _ONLY_ 2.96-2.127 and allow all other
! IP address telnet access
line vty 0 4
access-class 15 in
==============================================
! Answer #3 UGLY UGLY UGLY
access-list 15 permit ip 171.17.2.64
access-list 15 permit ip 171.17.2.65
access-list 15 permit ip 171.17.2.66
!
! you get the idea
!
access-list 15 permit ip 171.17.2.93
access-list 15 permit ip 171.17.2.94
access-list 15 permit ip 171.17.2.95
! With no mask you are specifying a host
line vty 0 4
access-class 15 in
-----Original Message-----
From: jeongwoo park [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 23, 2001 10:26 AM
To: [EMAIL PROTECTED]
Subject: Fw: A different Wildcard Mask [1:2082]
Hi all.
Can anyone clear this?
thanks
J
----- Original Message -----
From: "V Cumbie" <[EMAIL PROTECTED]>
Newsgroups: groupstudy.associate
Sent: Wednesday, February 21, 2001 12:08 PM
Subject: A different Wildcard Mask [1:2082]
> Can you permit/deny only half of a subnet? Here is my problem:
>
> Network: 171.17.2.64
> Subnet mask: 255.255.255.192
> Host range: 171.17.2.65 thru 171.17.2.126
> Broadcast: 171.17.2.127
>
> I have to deny telnet from hosts 171.17.2.96 thru 171.17.2.126
> and allow the remaining addresses (the lower half) 65 thru 95 complete
> access.
>
> I can not figure out a wildcard mask for splitting the hosts in half; to
> deny/permit one half of them.
>
> I would appreciate any help on this.
>
> V. Cumbie
>
>
>
>
>
> Message Posted at:
> http://www.groupstudy.com/form/read.php?f=1&i=2082&t=2082
> --------------------------------------------------
> You are reading GroupStudy's Associate Mailing List. To unsubscribe
follow
> the directions on http://www.groupstudy.com/list/Associates.html
>
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
