RE: ACL Tips and Tricks

From: Scott Morris (swm@emanon.com)
Date: Wed Mar 12 2003 - 10:13:58 GMT-3

• Next message: Craig Dorry: "RE: output drops"
• Previous message: NISHANT SHARMA: "how to troubleshoot this on cat 4006?"
• Maybe in reply to: Voss, David: "ACL Tips and Tricks"
• Next in thread: Scott Morris: "RE: ACL Tips and Tricks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

With a mask of 109 give you 01101101 or FIVE bits in the mask. 2^5 = 32
possible matches to that.

With 45 as your beginning number (00101101), the router would actually
rewrite your line to begin with 0.111.111.0 (00000000) by substituting
the "don't care" bits with 0's.

01101101 = mask of 109, 1's = don't care.
00101101 = 45, note the 1 values are all in the don't care bit
positions. Which sets all of the "I do care" bits to 0. Full matches
include:

00000000 = 0
00000001 = 1
00000100 = 4
00000101 = 5
00001000 = 8
00001001 = 9
00001100 = 12
00001101 = 13
00100000 = 32
00100001 = 33
00100100 = 36
00100101 = 37
00101000 = 40
00101001 = 41
00101100 = 44
00101101 = 45
01000000 = 64
01000001 = 65
01000100 = 68
01000101 = 69
01001000 = 72
01001001 = 73
01001100 = 76
01001101 = 77
01100000 = 96
01100001 = 97
01100100 = 100
01100101 = 101
01101000 = 104
01101001 = 105
01101100 = 108
01101101 = 109

That's off the top of my head, so hopefully the binary works right. :)
But anyway, you should get the point... That is not the proper way to
summarize addresses!

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Khalid Ameen
Sent: Wednesday, March 12, 2003 4:06 AM
To: 'Voss, David'; ccielab@groupstudy.com
Subject: RE: ACL Tips and Tricks

Permit 66.44.45.0 0.0.2.0
Permit 45.111.111.0 109.0.0.0

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Voss, David
Sent: Tuesday, March 11, 2003 9:59 PM
To: ccielab@groupstudy.com
Subject: RE: ACL Tips and Tricks

Thanks for the responses. I am bumping into questions stating "create
an ACL using the minimum number of commands"

permit 66.44.45.0
permit 66.44.47.0
permit 45.111.111.0
permit 64.111.111.0

I still have to create 4 lines in the ACL, as long as they are
requesting that 'all other subnets' must be denied, I can't simply
summarize or use fewer lines than 4.

-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Tuesday, March 11, 2003 1:34 PM
To: Voss, David; ccielab@groupstudy.com
Subject: RE: ACL Tips and Tricks

199 = 11000111
204 = 11001100

There are 3 bits of difference between the two, so it is impossible to
summarize them in one statement without including extraneous routes.

Enjoy!

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Voss, David
Sent: Tuesday, March 11, 2003 12:49 PM
To: ccielab@groupstudy.com
Subject: ACL Tips and Tricks

Permit the following subnets in an ACL with only 1 command... and deny
all other subnets.... I don't believe this can be done with 1 command.
Maybe someone can give it a shot?

204.95.160.0/24
199.95.160.0/24

• Next message: Craig Dorry: "RE: output drops"
• Previous message: NISHANT SHARMA: "how to troubleshoot this on cat 4006?"
• Maybe in reply to: Voss, David: "ACL Tips and Tricks"
• Next in thread: Scott Morris: "RE: ACL Tips and Tricks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:38 GMT-3