Re: Access-class

From: Daniel Sheedy (dansheedy@gmx.net)
Date: Sun Jul 25 2004 - 08:27:09 GMT-3

• Next message: Daniel Sheedy: "Re: BGP regexp vs quote-regexp"
• Previous message: Rohan Grover: "Access-class"
• Maybe in reply to: Rohan Grover: "Access-class"
• Next in thread: Georg Pauwen: "Re: Access-class"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Rohan,

What if change it to a standard access list?

access 1 permit 1.0.0.1 0.0.0.0

You really dont care where it is going... because you are at the destination
where you wish to test the little blighter, to see if it is allowed in or
not.
So, you only need to see that it originated from the right place.
If it was a packet on its way to somewhere else, then maybe you would check
the source AND the destination. But thats another story, and not important
for here.

Then apply this on the line 0 4.

access-class 1 in

Then, dont forget, if R1 has multiple ways to get to R2, go over to R1 and
set the source interface for the telnet, so you are not having to put
multiple permit lines on R2.

ip telnet source-interface lo0

or whatever interface grabs your fancy.

Cheers

Dan Sheedy

----- Original Message -----
From: "Rohan Grover" <rohang@cisco.com>
To: <ccielab@groupstudy.com>
Sent: Sunday, July 25, 2004 11:36 AM
Subject: Access-class

> Hi,
>
> This is a really simple scenario but for some reason I'm unable to get it
to work!!
>
> R1 ----------- R2
> 1.0.0.1 1.0.0.2
>
> All I want to do is deny telnet access on R2 to everyone except from
1.0.0.1(R1) to 1.0.0.2(R2).
>
> So I use access list
>
> 'access-list 100 permit tcp host 1.0.0.1 host 1.0.0.2 eq telnet'
>
> And apply it on vty 0 4 of R2 as 'access-class 100 in'
>
> I see that this blocks ALL telnet access.
>
> If I change the access-list to
>
> 'access-list 100 permit tcp host 1.0.0.1 any eq telnet' , then it allows
telnet access only from 1.0.0.1 to any interface on R2,
> which is not what I want.
>
> Is there anything I'm missing regarding use of access-class? Some
restriction on destination host?
>
> Thanks
> Rohan
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Daniel Sheedy: "Re: BGP regexp vs quote-regexp"
• Previous message: Rohan Grover: "Access-class"
• Maybe in reply to: Rohan Grover: "Access-class"
• Next in thread: Georg Pauwen: "Re: Access-class"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:12:02 GMT-3