More comments inline
JMcL
---------------------- Forwarded by Jenny Mcleod/NSO/CSDA on 08/02/2001
11:54 am ---------------------------
John Neiberger <[EMAIL PROTECTED]>@groupstudy.com on 08/02/2001 04:24:17
am
Please respond to John Neiberger <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
Subject: Re: Access-List Statement Clearification Request
Comments inline.
>
> --- Start ---
> Statement: "You can only assign one access list per interface, per
> protocol, or per direction"
>
> Question 1: Would this be correct as to an overall general understanding
of
> this statement?
>
> interface ethernet 0
> ip address 192.1.1.1 255.255.255.0
> ip access-group 1 in
> ip access-group 2 out
> ipx access-group 3 in
> ipx access-group 4 out
>
Yes, this is correct.
JMcL: it is incorrect for the same reason as the next example is incorrect
- access-list numbers 3 and 4 are IP access lists and can't be used for IPX
access lists. However, the following should be fine...
interface ethernet 0
ip address 192.1.1.1 255.255.255.0
ip access-group 1 in
ip access-group 2 out
ipx access-group 800 in
ipx access-group 801 out
> Question 2: Can this possibly imply the following:
> (intuition says not possible because there are duplicate access lists on
> the single interface)
>
> interface ethernet 0
> ip address 192.1.1.1 255.255.255.0
> ip access-group 1 in
> ip access-group 2 out
> ipx access-group 1 in
> ipx access-group 2 out
> --- Finish ---
This it not correct because access list numbers 1-99 are IP access lists.
They could not possibly be used in an IPX access group statement.
JMcL: John's correct, this is not valid, but not simply because the numbers
are the same. You can't use the same number for different protocols simply
because the syntax of the statement is wrong, not the combination of
statements.
What might be a better example is that the following is legal (I'm not sure
what sort of access-list would make it *useful*, but it is legal):
interface ethernet 0
ip address 192.1.1.1 255.255.255.0
ip access-group 1 in
ip access-group 1 out
However the following is NOT correct:
interface ethernet 0
ip address 192.1.1.1 255.255.255.0
ip access-group 1 in
ip access-group 100 in
Here, access-list 1 is a standard IP access-list and access-list 100 is an
extended access-list. Although they are different 'types' of access-list,
with different formats, they are both IP access-lists, and if you type this
in you will find that 'ip access-group 1 in' is overwritten - only ip
access-group 100 will be applied.
JMcL
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
