From: blodwick (blodwick@columbus.rr.com)
Date: Sat Nov 26 2005 - 16:34:03 GMT-3
I love these kinds of questions! Anyone who enjoys mathematics can
appreciate the coolness of the flexibility of the wildcard mask in the
IOS. At first it does not seem right since from the beginning we are
taught about leftmost bits of a subnet mask indicating the "network"
portion of the address, then the left over bit are the available host
bits (excluding the network and broadcast). We also learned that in the
beginning subnet masks had a fixed length; then later came the concept
of variable length subnet masks. So naturally when we use go to use
wildcard masks we stick with the same rules and simply invert your
thought process and apply variable length masking from right to left
instead of left to right, but the cool part is the wildcard mask does
not have the same rules that an IP subnet mask has.
If you want to make an access-list that defines the following nets -
192.168.1.0/24, 192.168.3.0/24, 192.168.5.0/24, and 192.168.7.0/24 you
can do it in 1 statement, by not sticking to the contiguous bit model.
access-list 101 permit ip any 192.168.1.0 0.0.6.255
Or how about in one statement select only the following nets -
172.16.32.0/24, 172.16.36.0/24, 172.16.48.0/24, 172.16.52.0/24,
168.16.32.0/24, 168.16.36.0/24, 168.16.48.0/24, 168.16.52.0/24.
access-list 102 permit ip any 168.16.32.0 4.0.20.0
I used examples of course that fit nicely, but if a question asks you to
do something like this and let's say one or two nets don't fit. You can
throw in the ones that don't fit as initial deny statements and you'll
probably still end up with less lines.
~ Brian L
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Pierre-Alex
Sent: Friday, November 25, 2005 3:11 PM
To: Montiean; ccielab@groupstudy.com
Subject: Re: wildcard mask question
Why not use an extended acces-list to match the mask also ?
This way you don't have to worry about matching other prefix.
You are doing exactly what was asked of you!
access-list 100 permit 192.168.20.0 0.0.3.0 255.255.255.0 0.0.0.0
Pierre
----- Original Message -----
From: "Montiean" <noktes@bellsouth.net>
To: <ccielab@groupstudy.com>
Sent: Monday, October 31, 2005 12:24 AM
Subject: wildcard mask question
> Folks,
> Just want to get the idea on wildcard mask using acl in the lab.
> For an example, let say we need to use only one statement in acl to
filter
> routes below
>
> 192.168.20.0/24
> 192.168.21.0/24
> 192.168.22.0/24
> 192.168.23.0/24
>
> So we can use either ways as below
>
> access-list 1 permit 192.168.20.0 0.0.3.0
> or
> access-list 1 permit 192.168.20.0 0.0.3.255
>
> The result is going to be the same but which way should be right in
the
> lab.
> Any comments would be appreciate.
>
> Thanks,
> Montiean
>
>
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:08 GMT-3