Re: Access-lists

From: Andrew Yourtchenko (andin@xxxxxx)
Date: Wed Dec 08 1999 - 13:38:21 GMT-3

• Next message: Varghese Thomas: "LAB Exam plan"
• Previous message: Denton Bobeldyk: "Re: Access-lists"
• Maybe in reply to: Brett Summerville: "Access-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hello Brett,

that's more a matter of dec-to-bin conversion, than cisco :).

the second task is easy:
access-list 101 deny ip any 172.16.0.0 0.0.254.255
access-list 101 permit ip any any

will deny every 172.16.x.y with x's LSB equal to '0' (that's the
definition of even ? or odd ? :) in case i mixed that terms again,
just use "172.16.1.0" in the first line of acl)

the first one requires a bit more of hand-work:

169.59.204.X = hex A9.3B.CC.** = bin 10101001.00111011.11001100.*
169.57.140.X = hex A9.39.8C.** = bin 10101001.00111001.10001100.*
161.140.57.X = hex A1.8C.39.** = bin 10100001.10001100.00111001.*
169.204.57.X = hex A9.CC.39.** = bin 10101001.11001100.00111001.*

I used hex as a middle step just to assist myself in translation
from decimal to binary.

what can we see from this worksheet ?
in brief - the mentioned four acl entries are the minimal possible,
and can not be summarized any further.

why ? because in case we are masking any bits, we cover _any_
combinations of these bits, which in our case would result in
significant increase of the denied ranges.

in some other case, e.g. when having deny statements for networks
172.16.1.x
172.16.2.x
172.16.3.x
172.16.4.x
172.16.5.x
172.16.6.x
172.16.7.x

it would be possible to change them into a single statement
deny 172.16.0.0 0.0.7.255
but in this case we would need to include an explicit
"permit 172.16.0.0 0.0.0.255" in front of that deny.

with best regards,
Andrew Yourtchenko

/Systems Engineer
OCS distribution
phone. +7-812-324-2870 ext 244
mailto:andin@ocs.ru
http://www.ocs.ru/

Wednesday, December 08, 1999, 5:55:35 PM, you wrote:

BS> Could someone show me how to combine these deny statements to as little
BS> lines as possible.

BS> Deny source in 169.59.204.X
BS> Deny source in 169.57.140.X
BS> Deny source in 161.140.57.X
BS> Deny source in 169.204.57.X

BS> Also, deny every even subnet in 172.1.X.Y, where X is the subnet portion (2
4
BS> bit mask)

BS> Thanks,

BS> Brett

• Next message: Varghese Thomas: "LAB Exam plan"
• Previous message: Denton Bobeldyk: "Re: Access-lists"
• Maybe in reply to: Brett Summerville: "Access-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:21:59 GMT-3