Re: Easier way to do Access-lists
Title: Easier way to do Access-lists how about: access-list 111 deny ip 211.0.0.0 0.255.255.255 any log access-list 111 deny ip 212.0.0.0 0.255.255.255 any log access-list 111 permit ip any any This would still allow your 214.3.1.50 host to have it's access. The two denies CAN be put togther into a single statement using: access-list 111 deny ip 207.0.0.0 7.255.255.255 any log but as you can see it is horribly inefficient as it will deny 207 to 215 The 211/212 combination are in different subents for a 3.255.255.255.255 wildcard Comment: Looks like the 214.3.1.50 host is your SNMP Server. Your existing ACL at first glance appears to be isolating this Server... but then the bottom line hits and your still allowing all access Your first 6 permit statements are useless. HTH Kevin L. KultgenMCSE+I, MCDBA, CCNA, CNX-A, A+, Network+, i-Net+/CIWIRIS Systems Inc, MCSPCalgary, Alberta - Original Message - From: "Deloso, Elmer G." Newsgroups: groupstudy.cisco Sent: Thursday, August 17, 2000 11:58 AM Subject: Easier way to do Access-lists Hi, group. Below is a sample ACL, and I need to find out if there's an easier way to input these seemingly redundant entries. Thanks. access-list 111 permit tcp host 214.3.1.50 any range 6000 6063 log access-list 111 permit tcp any host 214.3.1.50 range 6000 6063 log access-list 111 permit tcp host 214.3.1.50 any eq 161 log access-list 111 permit tcp any host 214.3.1.50 eq 161 log access-list 111 permit udp host 214.3.1.50 any eq 161 log access-list 111 permit tcp any host 214.3.1.50 eq 161 log access-list 111 deny ip 211.0.0.0 0.255.255.255 any log access-list 111 deny ip 212.0.0.0 0.255.255.255 any log access-list 111 permit ip any any Elmer
Re: Easier way to do Access-lists
Title: Easier way to do Access-lists Scratch that... Next to useless It would allow for the denied IPs to talk to the SNMP? Server but thats about all Kevin L. KultgenMCSE+I, MCDBA, CCNA, CNX-A, A+, Network+, i-Net+/CIWIRIS Systems Inc, MCSPCalgary, Alberta - Original Message - From: "Kevin L. Kultgen" Newsgroups: groupstudy.cisco Sent: Thursday, August 17, 2000 12:22 PM Subject: Re: Easier way to do Access-lists how about: access-list 111 deny ip 211.0.0.0 0.255.255.255 any log access-list 111 deny ip 212.0.0.0 0.255.255.255 any log access-list 111 permit ip any any This would still allow your 214.3.1.50 host to have it's access. The two denies CAN be put togther into a single statement using: access-list 111 deny ip 207.0.0.0 7.255.255.255 any log but as you can see it is horribly inefficient as it will deny 207 to 215 The 211/212 combination are in different subents for a 3.255.255.255.255 wildcard Comment: Looks like the 214.3.1.50 host is your SNMP Server. Your existing ACL at first glance appears to be isolating this Server... but then the bottom line hits and your still allowing all access Your first 6 permit statements are useless. HTH Kevin L. KultgenMCSE+I, MCDBA, CCNA, CNX-A, A+, Network+, i-Net+/CIWIRIS Systems Inc, MCSPCalgary, Alberta - Original Message - From: "Deloso, Elmer G." Newsgroups: groupstudy.cisco Sent: Thursday, August 17, 2000 11:58 AM Subject: Easier way to do Access-lists Hi, group. Below is a sample ACL, and I need to find out if there's an easier way to input these seemingly redundant entries. Thanks. access-list 111 permit tcp host 214.3.1.50 any range 6000 6063 log access-list 111 permit tcp any host 214.3.1.50 range 6000 6063 log access-list 111 permit tcp host 214.3.1.50 any eq 161 log access-list 111 permit tcp any host 214.3.1.50 eq 161 log access-list 111 permit udp host 214.3.1.50 any eq 161 log access-list 111 permit tcp any host 214.3.1.50 eq 161 log access-list 111 deny ip 211.0.0.0 0.255.255.255 any log access-list 111 deny ip 212.0.0.0 0.255.255.255 any log access-list 111 permit ip any any Elmer
Re: Easier way to do Access-lists
What is strange about it is that I can't tell where 214.3.2.50 is in relation to the router interface on which this list is applied. The first two lines allow tcp connections on ports between 6000 and 6063 both TO and FROM host 214.3.2.50. Which direction is this list applied, and on which interface? Say for argument that it is an incoming list on int s0. Let's say that host 214.3.2.50 opens a tcp connection on port 6001 to some host not on its local subnet. The packet will hit int s0, and be subject to the list. It matches line one, and so it is permitted. The intended recipient receives the message, and replies. Without even going into which port the reply is sent to, is it true that the reply will ALSO COME INTO s0? If not, then why permit traffic TO as well as FROM? Is host 214.3.2.50 a server that is one of many offering services on ports 6000 - 6063? OR - is this list applied to multiple interfaces and for simplicity's sake includes entries for either direction? Hmmm... By the way, lines 4 and 6 are identical. Maybe line 6 was intended to filter UDP? Other than lines 4 and 6, this list is not redundant, but without seeing a drawing I have to say that depending on how many interfaces it is applied to and what direction(s) it is applied, I am not sure that this list does what the author thinks it does... Does that help? Dale [=`) >From: "Deloso, Elmer G." <[EMAIL PROTECTED]> >Reply-To: "Deloso, Elmer G." <[EMAIL PROTECTED]> >To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> >Subject: Easier way to do Access-lists >Date: Thu, 17 Aug 2000 13:59:16 -0400 > >Hi, group. >Below is a sample ACL, and I need to find out if there's an easier way to >input >these seemingly redundant entries. Thanks. >access-list 111 permit tcp host 214.3.1.50 any range 6000 6063 log >access-list 111 permit tcp any host 214.3.1.50 range 6000 6063 log >access-list 111 permit tcp host 214.3.1.50 any eq 161 log >access-list 111 permit tcp any host 214.3.1.50 eq 161 log >access-list 111 permit udp host 214.3.1.50 any eq 161 log >access-list 111 permit tcp any host 214.3.1.50 eq 161 log >access-list 111 denyip 211.0.0.0 0.255.255.255 any log >access-list 111 denyip 212.0.0.0 0.255.255.255 any log >access-list 111 permit ip any any > >Elmer Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Easier way to do Access-lists
this is shorter but would deny traffice that was originally permitted - from hosts on 211 & 212 to 214.3.1.50 using the specified protocols & ports - assuming that's really what you are trying to accomplish remember the general rule for access lists of least specific to most specific on the 1st 6 lines though, 3 have 214.3.1.50 as source, 3 have it as destination. Assuming you're only going to apply the list to an interface in one direction, half of those lines are useless. Also, in a production environment, you have to remember it's not how long it takes to type the list that's important, it's how long most packets take to find a match in the list that affects performance. >>> "Kevin L. Kultgen" <[EMAIL PROTECTED]> 08/17 11:22 AM >>> Easier way to do Access-listshow about: access-list 111 denyip 211.0.0.0 0.255.255.255 any log access-list 111 denyip 212.0.0.0 0.255.255.255 any log access-list 111 permit ip any any This would still allow your 214.3.1.50 host to have it's access. The two denies CAN be put togther into a single statement using: access-list 111 denyip 207.0.0.0 7.255.255.255 any log but as you can see it is horribly inefficient as it will deny 207 to 215 The 211/212 combination are in different subents for a 3.255.255.255.255 wildcard Comment: Looks like the 214.3.1.50 host is your SNMP Server. Your existing ACL at first glance appears to be isolating this Server... but then the bottom line hits and your still allowing all access Your first 6 permit statements are useless. HTH Kevin L. Kultgen MCSE+I, MCDBA, CCNA, CNX-A, A+, Network+, i-Net+/CIW IRIS Systems Inc, MCSP Calgary, Alberta - Original Message - From: "Deloso, Elmer G." Newsgroups: groupstudy.cisco Sent: Thursday, August 17, 2000 11:58 AM Subject: Easier way to do Access-lists Hi, group. Below is a sample ACL, and I need to find out if there's an easier way to input these seemingly redundant entries. Thanks. access-list 111 permit tcp host 214.3.1.50 any range 6000 6063 log access-list 111 permit tcp any host 214.3.1.50 range 6000 6063 log access-list 111 permit tcp host 214.3.1.50 any eq 161 log access-list 111 permit tcp any host 214.3.1.50 eq 161 log access-list 111 permit udp host 214.3.1.50 any eq 161 log access-list 111 permit tcp any host 214.3.1.50 eq 161 log access-list 111 denyip 211.0.0.0 0.255.255.255 any log access-list 111 denyip 212.0.0.0 0.255.255.255 any log access-list 111 permit ip any any Elmer ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Easier way to do Access-lists
Easier way to do Access-lists Elmer: This is my guess. Do you have the answer? access-list 111 denyip 211.0.0.0 0.255.255.255 any log access-list 111 denyip 212.0.0.0 0.255.255.255 any log access-list 111 permit ip any any === ""Deloso, Elmer G."" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, group. Below is a sample ACL, and I need to find out if there's an easier way to input these seemingly redundant entries. Thanks. access-list 111 permit tcp host 214.3.1.50 any range 6000 6063 log access-list 111 permit tcp any host 214.3.1.50 range 6000 6063 log access-list 111 permit tcp host 214.3.1.50 any eq 161 log access-list 111 permit tcp any host 214.3.1.50 eq 161 log access-list 111 permit udp host 214.3.1.50 any eq 161 log access-list 111 permit tcp any host 214.3.1.50 eq 161 log access-list 111 denyip 211.0.0.0 0.255.255.255 any log access-list 111 denyip 212.0.0.0 0.255.255.255 any log access-list 111 permit ip any any Elmer ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Easier way to do Access-lists
Dale: You really think DEEP. (You meant 214.3.1.50 instead of 214.3.2.50, right?) ""Dale Holmes"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > What is strange about it is that I can't tell where 214.3.2.50 is in > relation to the router interface on which this list is applied. > > The first two lines allow tcp connections on ports between 6000 and 6063 > both TO and FROM host 214.3.2.50. > > Which direction is this list applied, and on which interface? > > Say for argument that it is an incoming list on int s0. Let's say that host > 214.3.2.50 opens a tcp connection on port 6001 to some host not on its local > subnet. The packet will hit int s0, and be subject to the list. It matches > line one, and so it is permitted. The intended recipient receives the > message, and replies. Without even going into which port the reply is sent > to, is it true that the reply will ALSO COME INTO s0? If not, then why > permit traffic TO as well as FROM? Is host 214.3.2.50 a server that is one > of many offering services on ports 6000 - 6063? > > OR - is this list applied to multiple interfaces and for simplicity's sake > includes entries for either direction? Hmmm... > > By the way, lines 4 and 6 are identical. Maybe line 6 was intended to filter > UDP? > > Other than lines 4 and 6, this list is not redundant, but without seeing a > drawing I have to say that depending on how many interfaces it is applied to > and what direction(s) it is applied, I am not sure that this list does what > the author thinks it does... > > Does that help? > > Dale > [=`) > > > >From: "Deloso, Elmer G." <[EMAIL PROTECTED]> > >Reply-To: "Deloso, Elmer G." <[EMAIL PROTECTED]> > >To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > >Subject: Easier way to do Access-lists > >Date: Thu, 17 Aug 2000 13:59:16 -0400 > > > >Hi, group. > >Below is a sample ACL, and I need to find out if there's an easier way to > >input > >these seemingly redundant entries. Thanks. > >access-list 111 permit tcp host 214.3.1.50 any range 6000 6063 log > >access-list 111 permit tcp any host 214.3.1.50 range 6000 6063 log > >access-list 111 permit tcp host 214.3.1.50 any eq 161 log > >access-list 111 permit tcp any host 214.3.1.50 eq 161 log > >access-list 111 permit udp host 214.3.1.50 any eq 161 log > >access-list 111 permit tcp any host 214.3.1.50 eq 161 log > >access-list 111 denyip 211.0.0.0 0.255.255.255 any log > >access-list 111 denyip 212.0.0.0 0.255.255.255 any log > >access-list 111 permit ip any any > > > >Elmer > > > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]