From: JM HotMail (norouterrip@hotmail.com)
Date: Tue Oct 24 2006 - 22:59:50 ART
It depends on what we are matching, I believe:
For your example:
- if hosts: wildcard 0.X.0.255 for example
- if routes: wildcard 0.X.0.0 (The network address for 192.168.1.0/24 is
192.168.1.0...)
And if the use is for a distribute list you would be matching the route
prefix.
Jean-Marc
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Ben
Holko
Sent: Tuesday, October 24, 2006 6:14 PM
To: ccielab@groupstudy.com
Subject: RE: Computing Access-List and Wildcard Pairs
In this case, the ACL is being used as a distribute-list
10.32.0.0 is not the same routing prefix as 10.32.0.1
10.32.0.1 would be denied as a prefix by this ACL
If this ACL were an input filtering ACL (ip access-group interface
level) then it would also block 10.32.0.1
The ACL is saying "match 10.0.0.0 /16" specifically, not "match 10.0.*.*"
To match:
10.0.*.*
10.4.*.*
10.32.*.*
10.36.*.*
You would need
access-list 1 permit 10.0.0.0 0.36.255.255
(I think!)
Ben
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Ben
Zheng
Sent: Wednesday, 25 October 2006 10:42 AM
To: ccielab@groupstudy.com
Subject: Computing Access-List and Wildcard Pairs
Hi
Brain at Internetwork Expert has an excellent doc on how to compute
access-list and wildcard pairs.
http://www.internetworkexpert.com/resources/01700370.htm
in the example, a
single access list is used for 10.0.0.0.16, 10.4.0.0/16, 10.32.0.0/16 and
10.36.0.0/16
access-list 1 permit 10.0.0.0 0.36.0.0
The traffic with the
same address in 0 bit wildcard will be permitted.
Assume we have traffic
from 10.32.0.1 which is part of 10.32.0.0/16 network, "1" in last octet
doesn't match the "0" in the access-list, will it still be permit? Why?
Ben
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:06 ART