From: David Luu (wicked01@xxxxxxxxxxxxx)
Date: Mon Apr 29 2002 - 04:01:53 GMT-3
199.199.12.0 will not get denied with the access list you are using...break
the 12 subnet into bit count and you will get 1100 and since you are
matching the last bit and with an address of 0 to match, it will be valid
At 12:32 AM 4/29/2002 -0500, Tim Wilhoit wrote:
>Ok, time for another exercise on filtering subnets. On page 1141 of Solie's
>book in the "Skynet" lab he asks the following:
>"Apply an inbound filter to R5, filtering just the even subnets from the
>loopback range 199.199.1.1 to 199.199.10.1 on R4".
>
>For some background, there are 10 subnets from 199.199.1.0/24 to
>199.199.10.0/24 entering this router.
>
>Obviously the easy way to do this is to just use an access-list like the
>following:
>
>access-list 1 deny 199.199.0.0 0.0.254.255
>access-list permit any
>
>
>But my thinking is this might be counted wrong because 199.199.12.0 could come
>along and it would get denied. So my question is, what is the shortest way to
>block JUST the subnets he asked for? Below is what I came up with but I want
>to see what everyone else comes up with.
>
>access-list 1 deny 199.199.8.0
>access-list 1 deny 199.199.10.0
>access-list 1 deny 199.199.0.0 0.0.6.255
>access-list 1 permit any
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:21 GMT-3