RE: Funky acl question-Check if this is correct

From: Djerk Geurts (djerk@djerk.nl)
Date: Mon Jul 09 2007 - 11:58:44 ART

• Next message: Ivan: "Re: username Johndoe secret CISCO vs. Service"
• Previous message: John Gibson: "RE: 3640 SNAT cannot use TCP to talk to peers, not compatible"
• Maybe in reply to: Djerk Geurts: "RE: Funky acl question-Check if this is correct"
• Next in thread: Djerk Geurts: "RE: Funky acl question-Check if this is correct"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mohamed,

If I may... :)

> Hi All,
>
> What about this one:
>
> x x x x x x x x
> 0 0 0 0 0 1 0 1 - 5
> 0 0 0 0 1 0 1 0 - 10
> 0 0 0 0 1 1 0 0 - 12
> 0 0 0 0 1 1 0 1 - 13
> 0 0 0 0 1 1 1 1 - 15
>
>
> 0 0 0 0 1 0 1 0
> 0 0 0 0 1 1 1 1
> ---------------
> 10.0.10.0 0.0.5.255

0.0.5.255 = 3rd octet 0000 0101 => will match 4 in this case networks

00 -> 1010 = .10
01 -> 1011 = .11 < no match desired
10 -> 1110 = .14 < no match desired
11 -> 1111 = .15

>
> 0 0 0 0 0 1 0 1
> 0 0 0 0 1 1 0 1
> ---------------
> 10.0.5.0 0.0.10.255

0000 1101 = .13 not .10

.10 is also a 2 bit mask:
00 -> 0101 = .5
01 -> 0111 = .7 < no match desired
10 -> 1101 = .13
11 -> 1111 = .15

>
> 0 0 0 0 1 1 0 0
> ---------------
> 10.0.12.0 0.0.0.0

Use 0.0.0.255 as a mask to match traffic, otherwise it only permits a
network which is fine when filtering routes.

Regards,
Djerk

• Next message: Ivan: "Re: username Johndoe secret CISCO vs. Service"
• Previous message: John Gibson: "RE: 3640 SNAT cannot use TCP to talk to peers, not compatible"
• Maybe in reply to: Djerk Geurts: "RE: Funky acl question-Check if this is correct"
• Next in thread: Djerk Geurts: "RE: Funky acl question-Check if this is correct"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART