From: Mingzhou Nie (mnie@xxxxxxxxx)
Date: Tue Apr 30 2002 - 00:49:30 GMT-3
Let me summarize, to deny even networks between 199.199.1.0/24 and
10/24, you can either use
access-list 1 deny 199.199.0.0 0.0.6.255
access-list 1 deny 199.199.8.0 0.0.2.0
access-list 1 permit any
or
access-list 1 permit 199.199.12.0 0.0.2.255 (permit 12.0 and 14.0)
access-list 1 deny 199.199.0.0 0.0.14.255 (deny even between 0.0 and
14.0)
access-list 1 permit any
--- "Chua, Parry" <Parry.Chua@compaq.com> wrote:
> You can improve a little by combine the fist two access-list into one
> :
>
> access-list 1 deny 199.199.8.0 0.0.2.0
>
> > Parry Chua
> >
> >
>
>
> -----Original Message-----
> From: David Luu [mailto:wicked01@ix.netcom.com]
> Sent: Monday, April 29, 2002 4:26 PM
> To: Tim Wilhoit; ccielab@groupstudy.com
> Cc: johnny.peterson@wcg.com
> Subject: Re: filtering even subnets
>
>
> if thats the case then, the access list you had below with
>
> > >>access-list 1 deny 199.199.8.0
> > >>access-list 1 deny 199.199.10.0
> > >>access-list 1 deny 199.199.0.0 0.0.6.255
> > >>access-list 1 permit any
>
> would work just fine and also have the minimum amount of statements
> needed
>
> At 02:49 AM 4/29/2002 -0500, Tim Wilhoit wrote:
> >Yes, that is what I was getting at.
> >----- Original Message -----
> >From: "David Luu" <wicked01@ix.netcom.com>
> >To: "Tim Wilhoit" <tilimil@hotmail.com>; <ccielab@groupstudy.com>
> >Cc: <johnny.peterson@wcg.com>
> >Sent: Monday, April 29, 2002 2:27 AM
> >Subject: Re: filtering even subnets
> >
> >
> > > wait, sorry, i should have looked at your post more
> carefully...just
> > > realized what you were trying to explain...you are saying that if
> there
> > > were other subnets not within that range but were still even
> subnets to
> >not
> > > get filtered, am i correct?
> > >
> > >
> > > At 12:01 AM 4/29/2002 -0700, David Luu wrote:
> > > >199.199.12.0 will not get denied with the access list you are
> > > >using...break the 12 subnet into bit count and you will get 1100
> and
> >since
> > > >you are matching the last bit and with an address of 0 to match,
> it will
> > > >be valid
> > > >
> > > >At 12:32 AM 4/29/2002 -0500, Tim Wilhoit wrote:
> > > >>Ok, time for another exercise on filtering subnets. On page
> 1141 of
> >Solie's
> > > >>book in the "Skynet" lab he asks the following:
> > > >>"Apply an inbound filter to R5, filtering just the even subnets
> from the
> > > >>loopback range 199.199.1.1 to 199.199.10.1 on R4".
> > > >>
> > > >>For some background, there are 10 subnets from 199.199.1.0/24
> to
> > > >>199.199.10.0/24 entering this router.
> > > >>
> > > >>Obviously the easy way to do this is to just use an access-list
> like the
> > > >>following:
> > > >>
> > > >>access-list 1 deny 199.199.0.0 0.0.254.255
> > > >>access-list permit any
> > > >>
> > > >>
> > > >>But my thinking is this might be counted wrong because
> 199.199.12.0
> >could
> > > >>come
> > > >>along and it would get denied. So my question is, what is the
> shortest
> > > >>way to
> > > >>block JUST the subnets he asked for? Below is what I came up
> with but I
> >want
> > > >>to see what everyone else comes up with.
> > > >>
> > > >>access-list 1 deny 199.199.8.0
> > > >>access-list 1 deny 199.199.10.0
> > > >>access-list 1 deny 199.199.0.0 0.0.6.255
> > > >>access-list 1 permit any
> > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:22 GMT-3