From: Gregg Malcolm (greggm@xxxxxxxxxxxxx)
Date: Mon Apr 08 2002 - 20:36:48 GMT-3
Gang,
Working on IPX today (again). One of my tasks was trying to make sure that I
understand all the ways to filter traffic on an int. In this example, I'm
denying R9 (internal net 9999) access to a token-ring on R1 (net 10). IPX
access-group 901 in on serial int on R1. Test is IPX ping from R9 to R1.
First thing I did was the following (it worked fine).
access-list 901 deny any 9999.0000.0000.0001 all 10.0000.306e.5477 all log
access-list 901 per any any all any all
07:01:35: %IPX-6-NOVACCESSLOG: 901 deny ping nping 9999.0000.0000.0001 nping
10.0000.306e.5477 1 pkt
Then, to test my understanding, I tried :
access-list 901 deny any 9999.0000.0000.0001 0.0000.0000.0000 all
10.0000.306e.5477 0.0000.0000.0000 all log
Which also worked. Then, one more test :
access-list 901 deny any 9999.0000.0000.0001 ff.ffff.ffff.ffff all
10.0000.306e.5477 ff.ffff.ffff.ffff all log
Which did not work. It permitted the pings. Shouldn't the ff's mask deny
9999,999A,999B...99A9,99AA.....thru 99FF ?
It's got me a little puzzled.
Thanks, Gregg
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:00 GMT-3