From: marvin greenlee (marvin@ccbootcamp.com)
Date: Fri Dec 24 2004 - 14:35:47 GMT-3
Blocking a range of addresses:
10.10.10.100 - 10.10.10.150
Another way to look at the question is to examine the nearest bit boundaries
for the range of addresses. Since we are looking at a range of 51
addresses, we cannot do this in a single line without matching additional
hosts. For each block of addresses, the block must start at a multiple of
the block size. For example, a block of 64 addresses needs to start at 0,
64, 128, or 192. Since we are blocking a range of addresses, we will
configure the access list to block networks, and then end it with a 'permit
any'.
Blocks of 64 addresses
64-127, 128-191 (These don't appear to be much help.)
Blocks of 32 addresses
96-127, 128-159 (These are close to our range, we may be able to use them
with some modification)
If we look at these two blocks of 32 addresses, we may be able to do some
trimming and achieve the range that we want.
For the first range, we can start by permitting 96-99, and then block the
rest of the range.
access-list 1 permit 10.10.10.96 0.0.0.3
access-list 1 deny 10.10.10.96 0.0.0.31
The net result of these two lines is that we block 100-127 (assuming that
our access list will end with a 'permit any').
For the second range, we need to trim the upper portion, and permit 151 to
159. We can permit 151 by itself, and permit 152 to 159 with a range of 8
addresses, since 152 is a multiple of 8.
access-list 1 permit 10.10.10.151 0.0.0.0
access-list 1 permit 10.10.10.152 0.0.0.7
access-list 1 deny 10.10.10.128 0.0.0.31
The net result of these three lines is that we are blocking 128-150.
(assuming that the access list will end with a 'permit any'.)
By mixing the permit and deny statements, our final access list can be
accomplished in six lines:
access-list 1 permit 10.10.10.96 0.0.0.3
access-list 1 deny 10.10.10.96 0.0.0.31
access-list 1 permit 10.10.10.151 0.0.0.0
access-list 1 permit 10.10.10.152 0.0.0.7
access-list 1 deny 10.10.10.128 0.0.0.31
access-list 1 permit any
- Marvin Greenlee, CCIE#12237, CCSI# 30483
Network Learning Inc
marvin@ccbootcamp.com
www.ccbootcamp.com (Cisco Training)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian McGahan
Sent: Thursday, December 23, 2004 4:56 PM
To: Marc Steiniger; ccielab@groupstudy.com
Subject: RE: Inverse mask question - How - ???? [7:95532]
[bcc][faked-from][bayes]
Importance: Low
Marc,
Each line in an access-list that a packet has to be checked
against uses additional CPU cycles and causes additional delay for the
packet. In today's networks, both of these may be negligible, but it's
always good to be as efficient as possible.
Within the scope of the CCIE lab however is it feasible that
they could ask a question such as "Configure R1 so that it doesn't
accept traffic from hosts 10.10.10.100 - 10.10.10.150. Use the most
efficient access-list with the minimum number of lines, and do not deny
traffic from any other hosts." In this case obviously using a mask of
0.0.0.255 is not feasible. Now we have to go through the motions of
trying to pair the addresses up and see how many lines we can get down
to.
At first glance this is how I would break it down:
10.10.10.100 0.0.0.3
--------------------
100 01100100
101 01100101
102 01100110
103 01100111
10.10.10.104 0.0.0.7
--------------------
104 01101000
105 01101001
106 01101010
107 01101011
108 01101100
109 01101101
110 01101110
111 01101111
10.10.10.112 0.0.0.15
------------------
112 01110000
113 01110001
114 01110010
115 01110011
116 01110100
117 01110101
118 01110110
119 01110111
120 01111000
121 01111001
122 01111010
123 01111011
124 01111100
125 01111101
126 01111110
127 01111111
10.10.10.128 0.0.0.15
---------------------
128 10000000
129 10000001
130 10000010
131 10000011
132 10000100
133 10000101
134 10000110
135 10000111
136 10001000
137 10001001
138 10001010
139 10001011
140 10001100
141 10001101
142 10001110
143 10001111
10.10.10.144 0.0.0.3
--------------------
144 10010000
145 10010001
146 10010010
147 10010011
10.10.10.148 0.0.0.1
--------------------
148 10010100
149 10010101
10.10.10.150 0.0.0.0
--------------------
150 10010110
The final access-list would read:
access-list 1 deny 10.10.10.100 0.0.0.3
access-list 1 deny 10.10.10.104 0.0.0.7
access-list 1 deny 10.10.10.112 0.0.0.15
access-list 1 deny 10.10.10.128 0.0.0.15
access-list 1 deny 10.10.10.144 0.0.0.3
access-list 1 deny 10.10.10.148 0.0.0.1
access-list 1 deny 10.10.10.150 0.0.0.0
access-list 1 permit any
Now let's see how many addresses this encompasses:
10.10.10.100 0.0.0.3 = 2^2 = 4
10.10.10.104 0.0.0.7 = 2^3 = 8
10.10.10.112 0.0.0.15 = 2^4 = 16
10.10.10.128 0.0.0.15 = 2^4 = 16
10.10.10.144 0.0.0.3 = 2^2 = 4
10.10.10.148 0.0.0.1 = 2^1 = 2
10.10.10.150 0.0.0.0 = 2^0 = 1
4 + 8 + 16 + 16 + 4 + 2 + 1 = 51
100 through 150 inclusive is 151 addresses, so the access-list does not
overlap.
Make sense?
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:30 GMT-3