RE: mac-address access-list.

From: Michael Snyder (msnyder@revolutioncomputer.com)
Date: Fri Feb 13 2004 - 19:48:49 GMT-3

• Next message: Richard L. Pickard: "RE: PIX vs. Checkpoint"
• Previous message: Bob Sinclair: "Re: mac-address access-list."
• Maybe in reply to: Casey, Paul (6822): "mac-address access-list."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here's an example from last week.

In hex,

40E0.1E5D.9587
40E0.1E5D.9547
40E0.1E5D.95C7
40E0.1E5D.9527

Just working with the last octet (hex mode) windows calc

(0x87&0x47&0xC7&0x27) = 0x07 (common)
(0x87|0x47|0xc7|0x27) = 0xe7 (scope)

0x07 nor 0xe7 = e0 (offset wildcard)

Mask value= ff-wild = 0xff-0xe0 =0x1f

Answer

dlsw icanreach mac-address 40E0.1E5D.9507 ffff.ffff.ff1f

It's all mask logic I've used before.

When you `and` a set of values, you get the most common element of the
values.

When you `or` a set of values you get the scope (range) of the elements.

When you `nor` the common against the scope you get the offset
(difference) of the two in wildcard format.

Total possible value - wildcard = mask.

-----Original Message-----
From: Bob Sinclair [mailto:bsinclair@netmasterclass.net]
Sent: Friday, February 13, 2004 4:28 PM
To: Martin D. Fierbaugh
Cc: ccielab@groupstudy.com
Subject: Re: mac-address access-list.

Martin,

I am sure there are guys out there who could do that in HEX in their
heads,
just as some can do decimial IP subnetting in their heads. But I would
take
the approach you suggest. Seems to me it would work just fine.

Bob Sinclair
CCIE #10427, CISSP, MCSE
www.netmasterclass.net

----- Original Message -----
From: "Martin D. Fierbaugh" <marty@networkwv.com>
To: "'Bob Sinclair'" <bsin@cox.net>
Cc: <ccielab@groupstudy.com>
Sent: Friday, February 13, 2004 4:24 PM
Subject: RE: mac-address access-list.

> Bob and all...
>
> What if the requirement was to ask to block several mac addresses
using
> the minimal number of lines to do so?
>
> Example:
>
> Block these mac addresses with the minimal number of acl entries.
> 0040.05bb.bcc2
> 0004.5a9c.b4ac
> 00a0.2a03.64d6
>
>
> Would you convert hex -> binary and then use the same method for
> combining access-lists that has been so clearly gone over many times
on
> this list?
>
> Thanks,
>
> **********************************
> Martin D. Fierbaugh, CCNP
> Manager - IP Routing
> NTELOS Advanced Data Engineering
> (w) 304.353.8916
> (m) 304.415.0427
> **********************************
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Bob Sinclair
> Sent: Friday, February 13, 2004 10:04 AM
> To: R&S Groupstudy
> Cc: ccielab@groupstudy.com
> Subject: Re: mac-address access-list.
>
> YUP!
>
> Please replace 1's with f's in previous post.
>
>
> Thanks!!
>
> Bob Sinclair
> CCIE #10427, CISSP, MCSE
> www.netmasterclass.net
>
> ----- Original Message -----
> From: "R&S Groupstudy" <rsg@synergy-networking.co.uk>
> To: "Bob Sinclair" <bsin@cox.net>
> Sent: Friday, February 13, 2004 10:03 AM
> Subject: RE: mac-address access-list.
>
>
> > isnt that all f's bob.... 0000.0000.ffff ?
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
Of
> > Bob Sinclair
> > Sent: 13 February 2004 14:51
> > To: Casey, Paul (6822); ccielab@groupstudy.com
> > Subject: Re: mac-address access-list.
> >
> >
> > Paul,
> >
> > You should be able to do this in IOS (router or 3550) with an access
> list
> in
> > the range 700.
> >
> > access-list 701 permit 0000.abcd.0000 0000.0000.1111
> >
> > should work to permit only source mac addresses starting 0000.abcd
> >
> > Hope that is what you are looking for.
> >
> > Bob Sinclair
> > CCIE #10427, CISSP, MCSE
> > www.netmasterclass.net
> >
> >
> > ----- Original Message -----
> > From: "Casey, Paul (6822)" <Paul.Casey@o2.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Friday, February 13, 2004 7:35 AM
> > Subject: mac-address access-list.
> >
> >
> > > Hello
> > >
> > > Can you match match MAC addresses that start with a specific
range.
> > > Exampe can you match 0000.abcd range of mac-addresses.
> > >
> > > kind regards.
> > >
> > >
> > >
> >
>
************************************************************************
> ****
> > ************
> > > Please note as of 31st March 2004 we will not be accepting any
email
> to
> > > Digifone.com addresses. From this date please send all emails to
> O2.com.
> > > This E-mail is from O2. The E-mail and any files
> > > transmitted with it are confidential and may also be privileged
and
> > intended
> > > solely for the use of the individual or entity to whom they are
> addressed.
> > > Any unauthorised direct or indirect dissemination, distribution or
> copying
> > > of this message and any attachments is strictly prohibited. If you
> have
> > > received the E-mail in error please notify postmaster@O2.com or
> > > telephone ++ 353 1 6095000.

• Next message: Richard L. Pickard: "RE: PIX vs. Checkpoint"
• Previous message: Bob Sinclair: "Re: mac-address access-list."
• Maybe in reply to: Casey, Paul (6822): "mac-address access-list."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:49 GMT-3