From: Jay Hennigan (jay@xxxxxxxx)
Date: Tue Oct 30 2001 - 04:32:03 GMT-3
On Tue, 30 Oct 2001, Albert Lu wrote:
> You mean:
>
> access-list 1 permit 158.168.0.0 0.0.63.255
> access-list 1 permit 158.168.64.0 0.0.15.255
> access-list 1 permit 158.168.80.0 0.0.7.255
> access-list 1 permit 158.168.88.0 0.0.3.255
> access-list 1 permit 158.168.92.0 0.0.0.0
> access-list 1 deny 158.168.1.0 0.0.254.255
>
> Hmm... 6 lines. Anyone knows a shorter way?
You got bit by a "gotcha" that I think you spotted in a later post, but
I'm pointing it out for the rest of the group.
Access lists are processed in order. Once a match occurs, the packet is
handled according to the matching line and processing stops.
The first four lines here will allow all /24 subnets within their ranges
both even and odd.
Therefore the odd subnet traffic will be permitted within that range as
it won't ever get to the deny filter in line 6. Also, line 5 mistakenly
matches only a single host. You could use this strategy, but to match
the requirement (which doesn't allow subnet 158.168.0.0) you would need:
access-list 1 deny 158.168.1.0 0.0.254.255 ! deny odd subnets
access-list 1 deny 158.168.0.0 0.0.0.255 ! deny 158.168.0.0/24
access-list 1 permit 158.168.0.0 0.0.63.255
access-list 1 permit 158.168.64.0 0.0.15.255
access-list 1 permit 158.168.80.0 0.0.7.255
access-list 1 permit 158.168.88.0 0.0.3.255
access-list 1 permit 158.168.92.0 0.0.0.255
There's a way to do it with four lines. Hints:
Two permits, two denys.
Think bitwise with regard to wildcard masks to accomplish two things with
one line.
-- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net NetLojix Communications, Inc. - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:28 GMT-3