From: David Luu (wicked01@xxxxxxxxxxxxx)
Date: Mon Apr 29 2002 - 14:58:41 GMT-3
ah, i keep getting ahead of myself, i broke it down into bit count and
Parry is right, the 199.199.8.0
0.0.2.255 would in fact cover only the 8 and 10 subnets, so the following
would cover your requirement
access-list 1 deny 199.199.8.0 0.0.2.255
access-list 1 deny 199.199.0.0 0.0.6.255
access-list 1 permit any
>dont think that the access list of 199.199.8.0 0.0.2.0 (should be
0.0.2.255) would meet his objective, the >inst would still match subnet 14
which isnt in the range of subnets 1-10
At 05:04 PM 4/29/2002 +0800, Chua, Parry wrote:
>You can improve a little by combine the fist two access-list into one :
>
>access-list 1 deny 199.199.8.0 0.0.2.0
>
> > Parry Chua
> >
> >
>
>
>-----Original Message-----
>From: David Luu [mailto:wicked01@ix.netcom.com]
>Sent: Monday, April 29, 2002 4:26 PM
>To: Tim Wilhoit; ccielab@groupstudy.com
>Cc: johnny.peterson@wcg.com
>Subject: Re: filtering even subnets
>
>
>if thats the case then, the access list you had below with
>
> > >>access-list 1 deny 199.199.8.0
> > >>access-list 1 deny 199.199.10.0
> > >>access-list 1 deny 199.199.0.0 0.0.6.255
> > >>access-list 1 permit any
>
>would work just fine and also have the minimum amount of statements needed
>
>At 02:49 AM 4/29/2002 -0500, Tim Wilhoit wrote:
> >Yes, that is what I was getting at.
> >----- Original Message -----
> >From: "David Luu" <wicked01@ix.netcom.com>
> >To: "Tim Wilhoit" <tilimil@hotmail.com>; <ccielab@groupstudy.com>
> >Cc: <johnny.peterson@wcg.com>
> >Sent: Monday, April 29, 2002 2:27 AM
> >Subject: Re: filtering even subnets
> >
> >
> > > wait, sorry, i should have looked at your post more carefully...just
> > > realized what you were trying to explain...you are saying that if there
> > > were other subnets not within that range but were still even subnets to
> >not
> > > get filtered, am i correct?
> > >
> > >
> > > At 12:01 AM 4/29/2002 -0700, David Luu wrote:
> > > >199.199.12.0 will not get denied with the access list you are
> > > >using...break the 12 subnet into bit count and you will get 1100 and
> >since
> > > >you are matching the last bit and with an address of 0 to match, it will
> > > >be valid
> > > >
> > > >At 12:32 AM 4/29/2002 -0500, Tim Wilhoit wrote:
> > > >>Ok, time for another exercise on filtering subnets. On page 1141 of
> >Solie's
> > > >>book in the "Skynet" lab he asks the following:
> > > >>"Apply an inbound filter to R5, filtering just the even subnets
> from the
> > > >>loopback range 199.199.1.1 to 199.199.10.1 on R4".
> > > >>
> > > >>For some background, there are 10 subnets from 199.199.1.0/24 to
> > > >>199.199.10.0/24 entering this router.
> > > >>
> > > >>Obviously the easy way to do this is to just use an access-list
> like the
> > > >>following:
> > > >>
> > > >>access-list 1 deny 199.199.0.0 0.0.254.255
> > > >>access-list permit any
> > > >>
> > > >>
> > > >>But my thinking is this might be counted wrong because 199.199.12.0
> >could
> > > >>come
> > > >>along and it would get denied. So my question is, what is the shortest
> > > >>way to
> > > >>block JUST the subnets he asked for? Below is what I came up with
> but I
> >want
> > > >>to see what everyone else comes up with.
> > > >>
> > > >>access-list 1 deny 199.199.8.0
> > > >>access-list 1 deny 199.199.10.0
> > > >>access-list 1 deny 199.199.0.0 0.0.6.255
> > > >>access-list 1 permit any
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:22 GMT-3