Patric very good explanation ..thanks
From: [email protected] To: [email protected] CC: [email protected]; [email protected] Date: Thu, 26 Jan 2012 14:57:53 +0000 Subject: RE: [OSL | CCIE_RS] wildcard mask volume 1 lab 16 Kid, If you want to block the 200.0.0.1, .3 and .5 you are looking at the following: 00000001 .1 00000011 .3 00000101 .5 The common denominator in this range is going to be 00000xx1. So the mask of 0.0.0.6 will do for blocking these IP’s, but the base address will have to change to 0000001 meaning 200.0.0.1 with a mask of 0.0.0.6. Bad thing about this is that it will also block 200.0.0.7 as this has a binary equivalent of 00000111 as the last bit must be a one and the 2 and 4 bit are don’t care, it will also cover this one. So if you only want to block the 3 addresses mentioned your ACL will look like one of the following: Access-list 1 permit 200.0.0.7 0.0.0.0 (permitting .7) Access-list 1 deny 200.0.0.1 0.0.0.6 (effectively denying .1, .3, .5, as .7 was permitted already) Access-list 1 permit any (permitting anything else) Access-list 2 deny 200.0.0.1 0.0.0.2 (effectively denying .1 and .3) Access-list 2 deny 200.0.0.5 0.0.0.0 (denying .5) Access-list 2 permit any (permitting anything else) For CCIE_KID, The reason the previous didn’t deny the routes you mention is because we are using a wildcard-mask of .6 and not .7 which would block everything in the range 200.0.0.0 to 200.0.0.7 as you mention. With .6 it will only deny the even routes with a base address of 200.0.0.0 and only the odd routes with a base address of 200.0.0.1. Kind regards, Patrick Keja From: CCIE KID [mailto:[email protected]] Sent: 26 January 2012 15:44 To: Keja,P,Patrick,JBP17 R Cc: [email protected]; [email protected] Subject: Re: [OSL | CCIE_RS] wildcard mask volume 1 lab 16 patrick why it didnt block 200.0.0.1 , 200.0.0.3 and 200.0.0.5 On Thu, Jan 26, 2012 at 7:42 PM, <[email protected]> wrote: Yiannis, 200.0.0.0 last octet 00000000 0.0.0.6 last octet 00000110 So the 2 and 4 bits of the last octet are don't care bits resulting in the options below: 00000000 0 00000010 2 00000100 4 00000110 6 So this part will deny 200.0.0.0, 200.0.0.2, 200.0.0.4 and 200.0.0.6 from communicating. If you have no additional lines in your access-list nothing will be communicated because of the implicit deny at the end though. Kind regards, Patrick Keja -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Yiannis ----------- Sent: 26 January 2012 14:51 To: [email protected] Subject: [OSL | CCIE_RS] wildcard mask volume 1 lab 16 Hi guys, If you have the following access list access-list 1 deny 200.0.0.0 0.0.0.6 could you please explain which networks will be allowed/denied and how you arrive at the result? Thanks very much yiannis _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs -- With Warmest Regards, CCIE KID CCIE#29992 (Security) _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
