From: Earl Aboytes (earl@xxxxxxxxxxxx)
Date: Tue May 16 2000 - 13:06:45 GMT-3
access-list access-list-number {deny | permit} protocol
[source-network[.source-node
[source-network-mask.source-node-mask]]
source-socket [destination-network
[.destination-node
[destination-network-mask.destination-node-mask] destination-socket] [log]
If the syntax is access-list 901 deny any any all any rip
Where the first any is all protocols why would you want to deny only an
undefined protocol by putting a 0 there?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Earl Aboytes
Senior Technical Conultant
GTE Managed Solutions
805-381-8817
earl.aboytes@telops.gte.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Frank
K. Lu
Sent: Tuesday, May 16, 2000 7:11 AM
To: Kevin Young; ccielab
Subject: Re: IPX access-list
Sorry Kevin... Didn't pay attention on the ACL number... I see what you are
saying. Good question, sorry no answer for you.
-Frank
"Frank K. Lu" wrote:
> Kevin,
>
> I though "-1" should be "all network", not the protocol type.
>
> -Frank
>
> Kevin Young wrote:
>
> > Hi, everyone, there is a ipx access-list question puzzled me:
> > caslow'book said, create a ipx dialer-list to block rip and sap traffic,
> > access-list 901 deny -1 ffffffff 0 ffffffff rip
> > access-list 901 deny -1 ffffffff 0 ffffffff sap
> > dialer-list 1 protocol ipx permit list 901
> > '-1' means all protocol types, '0'means all sources sockets, 'rip' and
'sap' mean destination sockets.
> > but also the book said: setting the protocol to '0' means an undefined
protocol,refer to the socket number to determine the packet type. so I think
it should be:
> > access-list 901 deny 0 ffffffff 0 ffffffff rip
> > access-list 901 deny 0 ffffffff 0 ffffffff sap
> > access-list 901 permit -1 any 0 any 0
> > dialer-list 1 protocol ipx permit list 901
> > What do you think? What's the difference?
> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:29 GMT-3