CCIE Written Class [7:13755]
Dennis, I would definately be interested in a CCIE written prep. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13755&t=13755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list.. [7:13564]
access-list 1 permit 172.22.0.0 0.0.31.255 "It permits all hosts with addresses in the range 172.22.0.1 to 172.22.31.255." Routing TCP/IP, Volume 1 pg. 862 Jeff Doyle, CCIE 1919 I guess you are going to tell me that Mr. Jeff Doyle is wrong now? Bu-bye Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13617&t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list..cool up [7:13564]
I completely understand and agree with the document below. But, he is wanting to block a range from accessing something, not from one ip to another. access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any Read from top down wildcard mask is read as match.match.range.don't care if there is an ip address in that range, deny them if they dont match that range, go to the next line and it permits any without this last statement, everything would be denied - Original Message - From: Farhan Ahmed To: 'fgh' ; Sent: Tuesday, July 24, 2001 3:43 PM Subject: RE: access list..cool up [7:13564] Tac Certified Doc Using Wildcard Masks in Access List Definitions Question: How do I configure an access list to disallow network 10.90.0.0 255.255.0.0 from accessing 10.80.0.0 255.255.0.0, but allow it to access others? I''ve entered the following commands: access list 101 deny ip 10.90.0.0 255.255.0.0 10.80.0.0 255.255.0.0 access list 101 permit ip any any int vlan 90 ip access-group 101 out But when I do a show run, I see the following: access-list 102 deny ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0 access-list 102 permit ip any any Why does this happen? Answer: The problem is that you are using subnet masks rather than wildcard masks in your access list definition. A wildcard mask is just the opposite of a subnet mask: each time there is a binary 1 in a subnet mask, you have to replace it with a 0 to get the equivalent wildcard mask. In other words, if you have a subnet mask of 255.255.0.0, the equivalent wilcard mask is 0.0.255.255. The same idea applies to subnet mask of 255.255.255.252, which becomes 0.0.0.3 as a wildcard mask. For your access list, you should enter the following lines to your configuration: access-list 101 deny ip 10.90.0.0 0.0.255.255 10.80.0.0 0.0.255.255 access-list 101 permit ip any any Then type sh run to verify that the above lines are unchanged. Last Modified: 30-NOV-99 All contents copyright ) 1992--2001 Cisco Systems, Inc. Important Notices and Privacy Statement. -Original Message- From: fgh [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 12:40 AM To: [EMAIL PROTECTED] Subject: Re: access list.. [7:13564] He wants to block the range 128.252.0.0-128.252.240.0 and permit all else. access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any I have a CCIE and a sniffer instructor sitting next to me and they verified that the above commands work for blocking the range and permitting everything else. - Original Message - From: Ayers, Michael To: 'fgh' ; Sent: Tuesday, July 24, 2001 3:04 PM Subject: RE: access list.. [7:13564] > That should be 0.0.15.255, but that allows 240, and you have it backwards, > you need to permit the first line (access-list 1 deny 128.252.0.0 > 0.0.15.255), and then deny the class b , then permit all else > > -Original Message- > From: fgh [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, July 24, 2001 1:02 PM > To: [EMAIL PROTECTED] > Subject: Re: access list.. [7:13564] > > access-list 1 deny 128.252.0.0 0.0.240.255 > access-list 1 permit any > > the 1st line blocks that range and the 2nd line allows all other traffic > > > i think? not positive though > > > - Original Message - > From: Farhan Ahmed > To: > Sent: Tuesday, July 24, 2001 1:28 PM > Subject: access list.. [7:13564] > > > > What mask would be used if you want to create an > > access list where the IP addresses (128.252.0.0 to > > 128.252.240.0) would be blocked > > pls support with explanation, > Privileged/Confidential Information may be contained in this message or > attachments hereto. Please advise immediately if you or your employer do > not consent to Internet email for messages of this kind. Opinions, > conclusions and other information in this message that do not relate to the > official business of this company shall be understood as neither given nor > endorsed by it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13615&t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
He wants to block the range 128.252.0.0-128.252.240.0 and permit all else. access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13607&t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list.. [7:13564]
He wants to block the range 128.252.0.0-128.252.240.0 and permit all else. access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any I have a CCIE and a sniffer instructor sitting next to me and they verified that the above commands work for blocking the range and permitting everything else. - Original Message - From: Ayers, Michael To: 'fgh' ; Sent: Tuesday, July 24, 2001 3:04 PM Subject: RE: access list.. [7:13564] > That should be 0.0.15.255, but that allows 240, and you have it backwards, > you need to permit the first line (access-list 1 deny 128.252.0.0 > 0.0.15.255), and then deny the class b , then permit all else > > -Original Message- > From: fgh [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, July 24, 2001 1:02 PM > To: [EMAIL PROTECTED] > Subject: Re: access list.. [7:13564] > > access-list 1 deny 128.252.0.0 0.0.240.255 > access-list 1 permit any > > the 1st line blocks that range and the 2nd line allows all other traffic > > > i think? not positive though > > > - Original Message - > From: Farhan Ahmed > To: > Sent: Tuesday, July 24, 2001 1:28 PM > Subject: access list.. [7:13564] > > > > What mask would be used if you want to create an > > access list where the IP addresses (128.252.0.0 to > > 128.252.240.0) would be blocked > > pls support with explanation, > Privileged/Confidential Information may be contained in this message or > attachments hereto. Please advise immediately if you or your employer do > not consent to Internet email for messages of this kind. Opinions, > conclusions and other information in this message that do not relate to the > official business of this company shall be understood as neither given nor > endorsed by it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13604&t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list.. [7:13564]
i dont think the access list here you listed will block the whole range. He is asking to block the range, not the 2 individual ip addresses. - Original Message - From: MikeN To: Sent: Tuesday, July 24, 2001 2:48 PM Subject: Re: access list.. [7:13564] > Okay.. default masks meaning classful class B. > 128.252.0.0 with a subnet mask of 255.255.0.0 > and > 128.252.240.0 with a subnet mask of 255.255.0.0 > > On a router you would use the wildcard mask (inverse) of the subnet mask: > > access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 > access-list 101 permit ip any any > Then apply it to the interface with ip access-group 101 in or out depending > on what interface it is applied to. > > It is easy to envision what the wildcard mask is and what it does if we view > the decimal numbers in binary format: > wildcard mask 0.0.255.255 = ... > 0's = interesting part of the address is to the router; 1's = portion of > address the router isn't going to care aboutthis portion of the accress > could be any number. > > If you list the ip address in binary above the wildcard mask, it looks like > this: >128 . 252 . 0. 0 > 1000.1100.. > ... > 0 . 0.252 . 252 > > The router will only view the portion of the address NOT blocked by 1's as > interesting: 128.252.x.x > > You will need to grasp this concept before moving on to subnetting and > supernetting. > > There are some excellent explanations for how this works in the Cisco Press > CCNA books. > > To confirm, this is for routers and not the PIX ACLs. > > HTH > MikeN > > > ""Farhan Ahmed"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > What mask would be used if you want to create an > > access list where the IP addresses (128.252.0.0 to > > 128.252.240.0) would be blocked > > pls support with explanation, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13595&t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list.. [7:13564]
access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any the 1st line blocks that range and the 2nd line allows all other traffic i think? not positive though - Original Message - From: Farhan Ahmed To: Sent: Tuesday, July 24, 2001 1:28 PM Subject: access list.. [7:13564] > What mask would be used if you want to create an > access list where the IP addresses (128.252.0.0 to > 128.252.240.0) would be blocked > pls support with explanation, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13592&t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP Helper Address [7:13539]
ip helper address can be used to find a dhcp server on a different segment than what you are. Your computer will broadcast a dhcp request (layer 3 which will not get through a router) for a dhcp server on a different segment. ip helper address will allow your machine access to the dhcp server through the router. however, be aware that ip helper address does open up other ports. - Original Message - From: Jason Kinney To: Sent: Tuesday, July 24, 2001 11:52 AM Subject: IP Helper Address [7:13539] > I have heard this term "IP helper address" used to reference a default > gateway. Is an IP helper address the same as a default gateway? If not > what is an IP helper address? Do you know where the term came from? > > Jason Kinney > 925-961-0223 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13558&t=13539 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Blocking the unsed IP [7:13514]
You can configure an access list to permit the ip's you want and there is an implicit deny at the end of the access list. For example to permit 10.1.1.1 and deny everybody else: (make sure to apply the access list to an interface) access-list 1 permit 10.1.1.1 0.0.0.255 - Original Message - From: Rajeev Karamchand To: Sent: Tuesday, July 24, 2001 10:36 AM Subject: Blocking the unsed IP [7:13514] > All > > Is there a way to block all unused external IP > > > > > = > Rajeev Karamchand > MCSE,MCSE+I,MCDBA,CCNA > > __ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13523&t=13514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
