RE: More about ACLs

From: Scott Morris (swm@emanon.com)
Date: Sat May 10 2003 - 11:33:21 GMT-3

• Next message: Cameron, John: "RE: More about ACLs"
• Previous message: phase90: "Re: Catalyst 3550 problem"
• Maybe in reply to: jfaure@sztele.com: "More about ACLs"
• Next in thread: Cameron, John: "RE: More about ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

1 = 00000001
5 = 00000101
21= 00010101

M = 00010100 for the mask where 1 = don't care (change) and 0 = stay
same.
Two bits of difference = 4 possible values. So you need to exclude the
extra value (17)

Deny 199.172.17.0 0.0.0.255
Permit 199.172.1.0 0.0.20.255

With the last bit being a 1 and set always (mask of 0), then you
wouldn't ever get 26 or any other even number to match it.
Think of the bits that are allowed to change (1 in mask) and substitute
all valid bits into it. You have two bits here, so substitute 00, 01,
10, 11 into those each slot respectively. It will not permit anything
greater than 21, because of all the other bits that must remain the same
(mask = 0).

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
jfaure@sztele.com
Sent: Saturday, May 10, 2003 5:31 AM
To: ccielab@groupstudy.com
Subject: More about ACLs

Hi all:

I'm having some troubles with acls. Imagine you have these networks:

199.172.1.0/24
199.172.2.0/24
199.172.4.0/24
199.172.5.0/24
199.172.6.0/24
199.172.8.0/24
199.172.21.0/24

And you must filter, with the minimun number of lines in the ACL, and
only permit the odd networks (at the third octect, this is ONLY the 1,
5 and 21, not each possible odd subnet). Then you could do so with a
standard access list like this:

access-list 99 permit 199.172.1.0 0.0.20.255

However, this access-list also allows networks like 199.172.1.0/25
199.172.1.0/26 , etc. Imagine you want to be more specific and to match
the network mask too. Then you'd need an extended acl that only allows
/24. But, anyone can suggest how to construct it, if it's possible?

Regards

Juan Faure Ferrer
email: jfaure@sztele.com

Lmnea de Negocio de Telematica y CC
Ingeniero de Integracisn de Redes y Sistemas
------------------------------------------------------------------------

----
SOLUZIONA TELECOMUNICACIONES
Servicios Profesionales de UNION FENOSA
Jerez, 3
28016 MADRID
tel 91 579 30 00 fax 91 350 72 83
------------------------------------------------------------------------
---

• Next message: Cameron, John: "RE: More about ACLs"
• Previous message: phase90: "Re: Catalyst 3550 problem"
• Maybe in reply to: jfaure@sztele.com: "More about ACLs"
• Next in thread: Cameron, John: "RE: More about ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:40 GMT-3