From: Ben Holko (ben.holko@globalcenter.net.au)
Date: Tue Oct 24 2006 - 22:13:52 ART
In this case, the ACL is being used as a distribute-list
10.32.0.0 is not the same routing prefix as 10.32.0.1
10.32.0.1 would be denied as a prefix by this ACL
If this ACL were an input filtering ACL (ip access-group interface
level) then it would also block 10.32.0.1
The ACL is saying "match 10.0.0.0 /16" specifically, not "match
10.0.*.*"
To match:
10.0.*.*
10.4.*.*
10.32.*.*
10.36.*.*
You would need
access-list 1 permit 10.0.0.0 0.36.255.255
(I think!)
Ben
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ben Zheng
Sent: Wednesday, 25 October 2006 10:42 AM
To: ccielab@groupstudy.com
Subject: Computing Access-List and Wildcard Pairs
Hi
Brain at Internetwork Expert has an excellent doc on how to compute
access-list and wildcard pairs.
http://www.internetworkexpert.com/resources/01700370.htm
in the example, a
single access list is used for 10.0.0.0.16, 10.4.0.0/16, 10.32.0.0/16
and
10.36.0.0/16
access-list 1 permit 10.0.0.0 0.36.0.0
The traffic with the
same address in 0 bit wildcard will be permitted.
Assume we have traffic
from 10.32.0.1 which is part of 10.32.0.0/16 network, "1" in last octet
doesn't match the "0" in the access-list, will it still be permit? Why?
Ben
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:06 ART