RE: access-list question

From: Scott Morris (swm@emanon.com)
Date: Tue Apr 20 2004 - 11:50:32 GMT-3

• Next message: Brian Sims: "Voice VLANs on 4006"
• Previous message: W. Alan Robertson: "Re: Synchronization"
• Maybe in reply to: Bayraktar, Ersoy: "access-list question"
• Next in thread: Sam: "RE: access-list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To permit no extra nets, the minimum number of statements would be three.

1.0 by itself, 2.0 with a mask of 0.0.1.0 (catching 2 and 3) and 8.0 by
itself.
You can also deny 0.0 individually, permit 0.0 with mask of 0.0.3.0
(catching 0 to 3) and 8.0 by itself.

Anything else would permit more networks. Always check the number of bits
set to 1 in your mask. 2^x yields the number of matches that your mask will
match.

HTH,

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Bayraktar, Ersoy
Sent: Tuesday, April 20, 2004 9:38 AM
To: swm@emanon.com
Cc: ccielab@groupstudy.com
Subject: RE: access-list question

It is asking to use the minimum number of configuration statements.

-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Tuesday, April 20, 2004 5:31 PM
To: Bayraktar, Ersoy; ccielab@groupstudy.com
Subject: RE: access-list question

I just re-read your nets...

1.0 00000001
2.0 00000010
3.0 00000011
8.0 00001000
        ^ ^^

There are three bits of difference between these three. Three bits of
difference in the mask (2^3) will yield 8 matches to your ACL. So you can't
put them all in a single mask. You'll get too many extra networks coming
in. Watch the wording on your lab, but be specific.

Oftentimes you'll see "in as few routes as possible", but when you see that,
it doesn't mean to allow extra networks. If you were going to do that, just
permit 0.0.0.0 255.255.255.255, because that will certainly cover any of the
nets you have. :)

HTH,

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Bayraktar, Ersoy
Sent: Tuesday, April 20, 2004 9:14 AM
To: ccielab@groupstudy.com
Subject: access-list question

Hi group,

How come the access-list 1 pemit 192.168.4.0 0.0.3.0 means permit
192.168.1.0,192.168.2.0,192.168.3.0 and 192.168.8.0. I couldn't find a good
document for such subnetting.

Thanks

• Next message: Brian Sims: "Voice VLANs on 4006"
• Previous message: W. Alan Robertson: "Re: Synchronization"
• Maybe in reply to: Bayraktar, Ersoy: "access-list question"
• Next in thread: Sam: "RE: access-list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:51 GMT-3