500
Chapter 9
Troubleshooting Novell Connectivity
access-list access-list-number [deny|permit] protocol
[source-network][[[.source-node] source-node-mask] |
[.source-node source-network-mask.source-node-mask]]
[source-socket]
[destination.network][[[.destination-node] destination-
node-mask] | [.destination-node destination-network-
mask.destination-nodemask]] [destination-socket]
As an example, a simple extended access list is presented by using the for-
mat access-list [number] [permit|deny] [protocol] [source]
[socket][destination] [socket]
. As shown previously, this format can
be expanded with additional masks.
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#access-list 910 deny -1 50 0 10 0
RouterA(config)#access-list 910 permit -1 -1 0 -1 0
RouterA(config)#int e0
RouterA(config-if)#ipx access-group 910 out
RouterA(config-if)#^Z
The any command word may be used in place of the 1 network parameter,
depending on the IOS version in use. Also, some versions of the IOS may
report an "unrecognized command" error from the command access-list
910 deny 1 ?
. Administrators should use the online help and test configu-
ration commands within the specific IOS installed.
Extended access list 910 is configured to deny all IPX protocols from net-
work 50 that are destined for network 10. Using a -1 in the protocol section
of the command serves as a wildcard for all protocols. Use of a -1 in the
source or destination field serves as a wildcard for all networks. Recall that
access lists include an implicit deny--access list 910 negates this deny by per-
mitting all packets to pass that were not denied previously.
Online help is available by typing ? and should be referenced when using any
unfamiliar command.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com