From: Tim Fletcher (tim@fletchmail.net)
Date: Tue Mar 11 2003 - 19:04:45 GMT-3
David,
You are correct, this cannot be done with 1 command without allowing other
addresses as well.
204 = 11001100
199 = 11000111
1100x1xx
We can tell how many addresses we are going to match with the following
formula:
2^(number of "don't care" bits)
Since the example above would require 3 "don't care" bits, a single mask to
match both would match a total of 8 addresses (2^3=8).
I use the following criteria to determine if any 2 numbers can be matched
with a single number and mask.
1. Is the difference between the 2 numbers a power of 2.
2. Is the appropriate power of 2 bit from question 1 turned off in the
lower of the 2 numbers. This can be determined by dividing the lower number
by the difference and truncating to a whole number. If the whole number is
even, then the answer is yes.
If both of these criteria are met, the address number is the lower of the 2
numbers, and the mask is the difference - 1.
For example: 204 - 199 = 5
Since 5 is not a power of 2, there is no single network number/mask
combination that will math both of those numbers, and only those numbers.
Another example: 204 - 200 = 4
Since 4 is a power of 2, the first criteria is met. To determine the 2nd
criteria 200/4=50. Since 50 is an even number, the 2nd criteria is met. The
address number is 200 and the mask is 3.
One more example: 203 - 199 = 4
4 is a power of 2 so the 1st criteria is met, but 199/4=49.75. When we
truncate to a whole number we get 49 which is not even, so the 2nd criteria
is not met. So there is no single network number/mask combination to match
these 2 numbers.
-Tim Fletcher
At 11:49 AM 3/11/2003 -0600, Voss, David wrote:
>Permit the following subnets in an ACL with only 1 command... and deny all
>other subnets.... I don't believe this can be done with 1 command. Maybe
>someone can give it a shot?
>
>204.95.160.0/24
>199.95.160.0/24
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:37 GMT-3