From: Winston V. Shaw (wvshaw@bellsouth.net)
Date: Fri Feb 06 2004 - 09:13:20 GMT-3
I think that you can approach this in the following way.
1.Select the pairs of IP addresses in which each octet of a net is lower or equal to the corresponding octet of its partner.
e.g 111.16.6.0 and 127.24.6.0
2. Write out the binary of each pair's octets next to each other.
e.g 01101111.00010000.00000110.00000000 (the 111 nnetwork)
01111111.00011000.00000110.00000000 (the 127 network)
3. Derive the necessary subnet mask by comapring the two binary addresses.
e.g 00010000.00001000.00000000.11111111 16.8.0.255
The subnet mask must be written in such a way that wherever a bit is turned on in the mask then it does not matter what the sorresponding bit actually is in the address. A zero(0) in the mask means the corresponding bit in the address must match exactly for both nets.
Your access list should look similar to the following:
deny 111.16.6.0 16.8.0.255
deny x.x.x.x x.x.x.x ( work out your second pair here)
permit 0.0.0.0 255.255.255.255
WVShaw
CCIE#7991
>
> From: <richardyun@adelphia.net>
> Date: 2004/02/06 Fri AM 03:16:02 EST
> To: <ccielab@groupstudy.com>
> Subject: Access List
>
> Hello,
>
> How can I block the following networks from going out of particular interface
> (say serial 1 on a router) using just two lines for access-list ?
>
> 121.10.17.0
> 127.24.6.0
> 122.35.35.0
> 111.16.6.0
>
> Thanks,
>
> Richard
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:47 GMT-3