From: VirtRack.com Mailing Lists (ciscolists@gmail.com)
Date: Sun Dec 03 2006 - 11:58:42 ART
Actually, you will be denying a bit more than the ones you want:
51.1.0.1, 51.1.0.9 would also be denied
The .6 in the 2nd octect says that the '4' and '2' bits do not matter, but
the rest do. The .1 in the matches a bit that must be checked, leaving our
possible matches all having a 1 in that position, meaning they will all be
odd.
By cycling through the '4' and '2' positions we have 4 possibilities:'
42
00 = 0
01 = 2
10 = 4
11 = 6
Adding the needed 1 to each, we get 1,3,5,7.
You listed the 3,5,7 networks above but skipped the first one....the case
where both '2' and '4' bits were 0 leaving the .1 adress.
Then moving to the final octect our matched addreses double as the '8' bit
is examined, with the necessary '1' bit being set again, gives us 1 and 9
for a final octect as you have listed. Therefore, I say you will match ALL
the ones you listed, plus 2 more. And as Scott stated, you'll need to
overcome the implicit deny all with a permit statement at the end.
On 12/3/06, deji500@hotmail.com <deji500@hotmail.com> wrote:
>
> Hello group
>
> To match and deny the following IP address:
> 51.3.0.1
> 51.5.0.1
> 51.7.0.1
> 51.3.0.9
> 51.5.0.9
> 51.7.0.9
>
> will this accesslist work?
> access-list 1 deny 51.1.0.1 0.6.0.8
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Online rack rental and CCIE Forums at http://www.virtrack.com
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:36 ART