Re: ACL question

From: alsontra@hotmail.com
Date: Mon Sep 06 2004 - 14:55:42 GMT-3

• Next message: Phil: "Re: ACL question"
• Previous message: Jonathan R. Charles: "ACL question"
• Maybe in reply to: Jonathan R. Charles: "ACL question"
• Next in thread: Phil: "Re: ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Charles,

The first ACL allows any mask beginning with /8 and ending with /32. The
second allows only /16. I believe the case study is try to demonstrate the
use of extended acces-list for both source and mask identification. Here is
an archived post from Brian Dennis that should help.

<sinp>
Here is the syntax:
access-list <ACL #> permit ip <network> <wildcard mask of network>
<subnet mask> <wildcard mask of subnet mask>
Here are some examples:
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
Matches 10.0.0.0/16 - Only
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
Matches 10.0.0.0/24 - Only
access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0
Matches 10.1.1.0/24 - Only
access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
Matches 10.0.X.0/24 - Any number in the 3rd octet of the network with a
/24 subnet mask.
access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
Matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network
with a /24 subnet mask.
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240 0.0.0.0
Matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the
network with a /28 subnet mask.
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255
Matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
octet of the network with a /24 to /32 subnet mask.
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
0.0.0.127
Matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
octet of the network with a /25 to /32 subnet mask

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
</snip>

If you can follow this, you will understand the authors point.

HTH
Alsontra

----- Original Message -----
From: "Jonathan R. Charles" <jrcdehc@ameritech.net>
To: <ccielab@groupstudy.com>
Sent: Monday, September 06, 2004 7:34 AM
Subject: ACL question

> In BGP Case Studies, the following paragraph
>
>
>
> The command "access-list 1 permit 160.0.0.0 0.255.255.255" permits
> 160.0.0.0/8, 160.0.0.0/9, 160.0.0.0/10 and so on. In order to restrict the
> update to only 160.0.0.0/8, we have to use an extended access-list of the
> following format: "access-list 101 permit ip 160.0.0.0 0.255.255.255
> 255.0.0.0 0.0.0.0" This list permits 160.0.0.0/8 only.
>
>
>
> I must be missing something here, because I don't see how the destination
of
> 255.0.0.0 with a mask of 0.0.0.0 would permit all the other 160.0.0.0
> networks that had a mask different from 8.
>
>
>
>
>
>
>
>
>
> Jonathan Charles
>
> SBC
>
> CCNP/CCDP, NNCSE, NNCSS, MCSE
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Phil: "Re: ACL question"
• Previous message: Jonathan R. Charles: "ACL question"
• Maybe in reply to: Jonathan R. Charles: "ACL question"
• Next in thread: Phil: "Re: ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:37 GMT-3