RE: Extended ACL Block with Permits

From: hadek.el-ayachi@nsn.com
Date: Tue Sep 11 2007 - 07:02:52 ART

Hi Joe,
But you are still missing the 172.16.12.0/24.
Do you have the acl optimizer in Ciscoworks, could you enter this
sequence and see:

permit ip 172.16.128.0 0.0.127.255 any
permit ip 172.16.64.0 0.0.63.255 any
permit ip 172.16.32.0 0.0.31.255 any
permit ip 172.16.16.0 0.0.15.255 any
permit ip 172.16.12.0 0.0.3.255 any
permit ip 172.16.10.0 0.0.1.255 any
permit ip 172.16.9.0 0.0.0.255 any
permit ip 172.16.0.0 0.0.7.255 any

thanks

-----Original Message-----
From: ext Joe Carr (Enventis) [mailto:jcarr@enventis.com]
Sent: lundi 10 septembre 2007 17:09
To: El Ayachi Hadek (NSN - MA/Rabat); ccielab@groupstudy.com
Subject: RE: Extended ACL Block with Permits

I goofed on my ACL. The 6th line should have been

permit 172.16.64.0 0.0.191.255

And the last line should have never made it into the ACL

Are there any tricks with using prefix length matching on an extended
ACL that could shorten up the solution?

Joe

-----Original Message-----
From: hadek.el-ayachi@nsn.com [mailto:hadek.el-ayachi@nsn.com]
Sent: Monday, September 10, 2007 11:52 AM
To: Joe Carr (Enventis); ccielab@groupstudy.com
Subject: RE: Extended ACL Block with Permits

The answer below permit 172.16.8.0/24 in the 6 line or the last line.

I suggest the simplest one below:

permit ip 172.16.128.0 0.0.127.255 any
permit ip 172.16.64.0 0.0.63.255 any
permit ip 172.16.32.0 0.0.31.255 any
permit ip 172.16.16.0 0.0.15.255 any
permit ip 172.16.12.0 0.0.3.255 any
permit ip 172.16.10.0 0.0.1.255 any
permit ip 172.16.9.0 0.0.0.255 any
permit ip 172.16.0.0 0.0.7.255 any

I don't know how to make things simpler.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ext Joe Carr (Enventis)
Sent: lundi 10 septembre 2007 15:50
To: ccielab@groupstudy.com
Subject: RE: Extended ACL Block with Permits

Does anyone have any suggestions for this one?

-----Original Message-----
From: Joe Carr (Enventis)
Sent: Sunday, September 09, 2007 9:42 AM
To: Joe Carr (Enventis); 'ccielab@groupstudy.com'
Subject: RE: Extended ACL Block with Permits

This is the best I could come up with.

Extended IP access list TESTING
    permit ip 172.16.0.0 0.0.7.255 any
    permit ip 172.16.9.0 0.0.6.255 any
    permit ip 172.16.10.0 0.0.5.255 any
    permit ip 172.16.16.0 0.0.239.255 any
    permit ip 172.16.32.0 0.0.223.255 any
    permit ip 172.16.0.0 0.0.191.255 any
    permit ip 172.16.128.0 0.0.127.255 any
    permit ip any any

Here is how I broke down the bits in the 3rd octet line by line:

1 = 0 - 7
2 = 9,11,13,15
3 = 10,12,14
4 = anything with the 5th bit on
5 = anything with the 6th bit on
6 = anything with the 7th bit on
7 = anything with the 8th bit on
8 = all other traffic

I know there is some trick to this but I just cannot figure it out. It
may have something to do with prefix matching on an extended named ACL.

Joe

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joe Carr (Enventis)
Sent: Saturday, September 08, 2007 9:23 AM
To: ccielab@groupstudy.com
Subject: Extended ACL Block with Permits

What would be the least amount of commands used to block an IP address
using only permit statements in an Extended ACL.

Let say we want to block 172.16.8.0/24 but permit all other
172.16.0.0/24 address

Joe

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:10 ART