From: Manny Gonzalez (manny@xxxxxxx)
Date: Tue Mar 26 2002 - 11:01:05 GMT-3
Yakout,
Sort of. You got lucky and only those went through... but your access
list / wildcard combo (the bottom one) also will allow
1.1.2.1, 1.1.2.2, 1.1.2.3, .... snip .... 200.200.200.1, 200.200.200.2,
etc. etc. etc.
I mean, every single address in the first two octets, every even
numbered subnet in the third octet and every single subnet in the last
octet (this assumes we are talking about subnets... it can also work for
hosts... it all depends. So let's assume we are in a vacuum :-))
The biggest problem is that your range falls inside bit boundaries and
it is kind of difficult to lock it down exactly. You could get away with
the following:
access-list 10 deny 198.5.0.0 0.0.31.255
access-list 10 deny 198.5.32.0 0.0.15.255
access-list 10 deny 198.5.48.0 0.0.3.255
access-list 10 deny 198.5.60.0 0.0.3.255
access-list 10 deny 198.5.64.0 0.0.63.255
access-list 10 deny 198.5.128.0 0.0.127.255
access-list 10 permit 198.5.0.0 0.0.254.255
This locks it in perfectly... There may be a more efficient way and
someone will chime in with it if there is. But this way you can
appreciate the difficulty of doing ranges that fall way outside bit
boundaries.
Manny Gonzalez
#9013
yakout esmat wrote:
>
> Hi all,
>
> I am still having problems with coming up with generic wildcard mask for
> blocking odd or even networks, my example:
>
> allow only even networks from 198.5.51.0/24 to 198.5.59.0/24
>
> I tried the following:
>
> access-list 10 permit 198.5.1.0 0.0.254.255 which should permit odd (no
> success)
>
> access-list 10 permit 198.5.0.0 0.0.254.255 which should permit even (no
> success)
>
> access-list 10 permit 0.0.0.0 255.255.254.255 should permit even (IT WORKS)
>
> The way I see it, the concept is just the same in all the above examples,
> why last one works and not the others.
>
> Appreciate your input
>
> Ya
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:22 GMT-3