From: Manny Gonzalez (manny@xxxxxxx)
Date: Wed Mar 27 2002 - 10:14:57 GMT-3
Yakout,
No, not really. Please be careful with your masks and wildcards - THEY
ARE NOT THE SAME THING -
Your example will allow 48,49,50,51 inclusive.. here is why
WILDCARD - 3 -- 00000011
48 - 00110000
49 - 00110001
50 - 00110010
51 - 00110011
For illustration look at the above and below numbers in the range
52 - 00110100 - no good
47 - 00101111 - no good
See the only bits that can flip are the rightmost two bits, because your
wildcards says, LOCK IN the slots with the ZERO, and allow the slots
with the 1's to flip. So ignore the 1's slot, Lock in the 0's slot. It
has everything to do with your matching sample. So since the 48 is your
sampler, it's bits are
00110000
your wildcard is
00000011
So the leftmost 6 slots MUST BE THE SAME IN EACH ALLOWED/DENIED address.
The sample I originally submitted was an illustration of how you can do
it. It was very inefficient as you saw from the other two examples
posted
For your range, the most efficient was a two line entry with a wildcard
of 0.0.2.255
You also must be mindful of your BIT BOUNDARIES. You may not violate
them.
For example, if you believe that
acl 10 deny 10.90.25.0 0.0.31.255
will deny from 25 to 57, you would be surprised that it does not.
Because the number 25 falls in the bit boundary between 0-31, so you
would have denied from 0-31 with that wildcard.
Do this, as it helped me learn it a little better. Draw the following
chart
255
128 | 128
64 | 64 | 64 | 64
32 | 32 | 32 | 32 | 32 | 32 | 32
| 32
and so on and so forth. This helps you see where numbers will fall in
relation to the bit boundaries. Also draw up all the numbers in question
in binary. And look for patterns in the bits... see which turn on and
off in the range, ignore those and lock in the ones that do not change
in the range you are interested in denying or permitting.
Good luck.
yakout esmat wrote:
>
> Thanks very much guys, your feed back is really great.
>
> The outcome is as follows:
>
> Between 198.5.49.0 & 198.5.54.0
>
> access-list 30 permit 198.5.48.0 0.0.6.255 (allows 50 52 & 54 all even)
> access-list 30 permit 198.5.49.0 0.0.6.255 (allows 49, 51 & 53 all odd)
>
> Manny,
> (access-list 10 deny 198.5.48.0 0.0.3.255) This one will only allow for 2
> hosts 49&50 am I right?
>
> thanks again
>
> Yakout
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> BEDA jain
> Sent: Wednesday, March 27, 2002 3:59 AM
> To: manny@nyp.org; yesmat@iprimus.com.au
> Cc: ccielab@groupstudy.com
> Subject: Re: Access list wildcard mask
>
> access-list 10 deny 198.5.48.0 0.0.2.255 this will block 48,49 and 50
> access-list 10 deny 198.5.60.0 0.0.3.255 this will block 60,61,62,63
> access-list 10 permit 198.5.48.0 0.0.14.255 this will permit all even in
> 48 - 64 but you already block 48,49,50,60-63.
>
> if you need odd to prmit then do access-list 10 permit 198.5.49.0
> 0.0.14.255
>
> rest will be implicit deny
>
> try this and please let me know. i would like to know whether this works
> or not.
>
> BEDA PRAKASH JAIN Apartment address 1116 woodway bluff circle cary,nc
> 27513 9196789188 res 9193922891 work 9195220242 cell >From: Manny
> Gonzalez >Reply-To: Manny Gonzalez >To: yakout esmat >CC:
> ccielab@groupstudy.com >Subject: Re: Access list wildcard mask >Date:
> Tue, 26 Mar 2002 09:01:05 -0500 > >Yakout, > >Sort of. You got lucky and
> only those went through... but your access >list / wildcard combo (the
> bottom one) also will allow > >1.1.2.1, 1.1.2.2, 1.1.2.3, .... snip ....
> 200.200.200.1, 200.200.200.2, >etc. etc. etc. > >I mean, every single
> address in the first two octets, every even >numbered subnet in the third
> octet and every single subnet in the last >octet (this assumes we are
> talking about subnets... it can also work for >hosts... it all depends.
> So let's assume we are in a vacuum :-)) > >The biggest problem is that
> your range falls inside bit boundaries and >it is kind of difficult to
> lock it down exactly. You could get away with >the following: >
> >access-list 10 deny 198.5.0.0 0.0.31.255 >access-list 10 deny 198.5.32.0
> 0.0.15.255 >access-list 10 deny 198.5.48.0 0.0.3.255 >access-list 10 deny
> 198.5.60.0 0.0.3.255 >access-list 10 deny 198.5.64.0 0.0.63.255
> >access-list 10 deny 198.5.128.0 0.0.127.255 >access-list 10 permit
> 198.5.0.0 0.0.254.255 > >This locks it in perfectly... There may be a
> more efficient way and >someone will chime in with it if there is. But
> this way you can >appreciate the difficulty of doing ranges that fall way
> outside bit >boundaries. > >Manny Gonzalez >#9013 > > >yakout esmat
> wrote: > > > > Hi all, > > > > I am still having problems with coming up
> with generic wildcard mask for > > blocking odd or even networks, my
> example: > > > > allow only even networks from 198.5.51.0/24 to
> 198.5.59.0/24 > > > > I tried the following: > > > > access-list 10
> permit 198.5.1.0 0.0.254.255 which should permit odd (no > > success) > >
> > > access-list 10 permit 198.5.0.0 0.0.254.255 which should permit even
> (no > > success) > > > > access-list 10 permit 0.0.0.0 255.255.254.255
> should permit even (IT WORKS) > > > > The way I see it, the concept is
> just the same in all the above examples, > > why last one works and not
> the others. > > > > Appreciate your input > > > > Ya > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:23 GMT-3