Re: wildcard access-list question

From: Ed Tan (tytanx@gmail.com)
Date: Tue Nov 01 2005 - 17:10:37 GMT-3

• Next message: Wang Dehong-DWANG1: "RE: Hopefully last time"
• Previous message: kevin gannon: "Sparse mode multicast ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi all,

I have a way to calculate the match in ACL and just want to get some input
from you expert,

1) To match 192.168.4.0 <http://192.168.4.0> and
192.168.5.0<http://192.168.5.0>in ACL one statement
4 = 0100
5 = 0101
take the "1" position put into the prefix (192.168.4.0 <http://192.168.4.0>)

take the "0" "1" OR put into wildcard mask (0.0.1.255 <http://0.0.1.255>)

2) To match 192.168.1.0 <http://192.168.1.0> and
192.168.5.0<http://192.168.5.0>in ACL one statement
1 = 0001
5 = 0101
take the "1" position put into the prefix (192.168.1.0 <http://192.168.1.0>)

take the "0" "1" OR put into wildcard mask (0.0.4.255 <http://0.0.4.255>)

3) To match 192.168.1.0 <http://192.168.1.0>,
192.168.5.0<http://192.168.5.0>and
192.168.8.0 <http://192.168.8.0>, 192.168.9.0 <http://192.168.9.0>,
192.168.10.0 <http://192.168.10.0>, 192.168.11.0 <http://192.168.11.0>,
1 = 0001
2 = 0010
8 = 1000
9 = 1001
10 = 1010
11 = 1011
With the same logic above, you can either have 2 ACL statement
192.168.0.0 <http://192.168.0.0> 0.0.3.255 <http://0.0.3.255>
192.168.8.0 <http://192.168.8.0> 0.0.3.255 <http://0.0.3.255>
OR
192.168.0.0 <http://192.168.0.0> 0.0.11.255 <http://0.0.11.255> - take the
"0" "1" OR put into wildcard mask (0.0.11.255 <http://0.0.11.255>)

Is this correct?

TIA
Ed

On 11/1/05, mark forest <mforest@inetiq.com> wrote:
>
> Ray,
>
> As a compliment to what scott has already put out here, the following link
> is from InternetworkExpert:
>
> http://www.internetworkexpert.com/resources/01700370.htm
>
> Brian McGahan wrote this up. It adds some extra info on the "and" "xor"
> topics too.
>
> Wayne
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> 22Cent@gmail.com
> Sent: Friday, July 01, 2005 8:00 AM
> To: swm@emanon.com; Group Study
> Subject: Re: wildcard access-list question
>
> Hi Scott,
> As i mentioned before, my skull is thick...but i do now fully understand
> the
> concept. Thanks for taking the time out to explain it to me.
>
> Ray
>
> On 7/1/05, Scott Morris <swm@emanon.com> wrote:
> > Nope.
> >
> > You're going backwards in your numbers anyway...
> >
> > Starting point = 172.70.32.0 <http://172.70.32.0>
> >
> > 172 70 32 0
> > 10101100 01000110 00100000 00000000 = Starting point
> > in binary
> >
>
> ===========================================================================
> > 00000000 00000000 00011111 11111111 = Mask in binary
> >
> > 10101100 01000110 001xxxxx xxxxxxxx = Result for
> what
> > is or is not permitted.
> >
> > Now start plugging some of the values into the third octet (in binary)
> > and make sure that the first three bits are "001" and never change.
> >
> > Scott
> >
> >
> > -----Original Message-----
> > From: 22Cent@gmail.com [mailto:22cent@gmail.com]
> > Sent: Thursday, June 30, 2005 11:47 PM
> > To: swm@emanon.com
> > Cc: Group Study
> > Subject: Re: wildcard access-list question
> >
> > Excuse my thick skull.
> > Would it be fair to say that is access-list is permitting the
> > following range of networks?
> >
> > 10.70.128.0 <http://10.70.128.0> - 10.70.32.255 <http://10.70.32.255>
> > thanks
> >
> >
> > On 6/30/05, Scott Morris <swm@emanon.com> wrote:
> > > Binary.
> > >
> > > Anyplace there's a '1' in the ACL, you don't care the value.
> > >
> > > 31 = 00011111
> > >
> > > So the first three bits in that octet don't change, anything else
> > > you don't care.
> > >
> > > Windows calculator may help you out in this endeavor, otherwise,
> > > pencil and paper are a great place to get started!
> > >
> > > Scott
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > > Of 22Cent@gmail.com
> > > Sent: Thursday, June 30, 2005 11:05 PM
> > > To: Group Study
> > > Subject: wildcard access-list question
> > >
> > > Hi Group,
> > > How do i determine which networks are permitted in the following
> > > access-list ?
> > >
> > > access-list 22 permit 10.70.32.0 <http://10.70.32.0>
0.0.31.255<http://0.0.31.255>
> > >
> > > Any help would be great. TIA
> > >
> > > Ray
> > >
> > > ____________________________________________________________________
> > > __ _ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Wang Dehong-DWANG1: "RE: Hopefully last time"
• Previous message: kevin gannon: "Sparse mode multicast ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:04 GMT-3