>Why?
Less processing.
Elegance :)
Cleverness :)
More documentation ~%[
I love that sort of stuff --
hmm, I guess this means that you wouldn't hire me, eh, Howard?
-------------------------------------------------
Tks | <mailto:[EMAIL PROTECTED]>
BV | <mailto:[EMAIL PROTECTED]>
Sr. Technical Consultant, SBM, A Gates/Arrow Co.
Vox 770-623-3430 11455 Lakefield Dr.
Fax 770-623-3429 Duluth, GA 30097-1511
=================================================
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Howard C. Berkowitz
Sent: Saturday, March 03, 2001 1:31 PM
To: [EMAIL PROTECTED]
Subject: Re: wildcard in access-list
>I have two parts of a large network, the first part using 141.120.0.0
>thru 141.120.7.255 and the second part using 141.120.128.0 thru
>141.120.135.255. At the router connecting to Internet I want access
from
>outside limited only to these subnets and not to other addresses used.
I
>know that the following will work for TCP:
>
>access-list 101 tcp permit any 141.120.0.0 0.0.7.255
>access-list 101 tcp permit any 141.120.128.0 0.0.7.255
>
>I want to condesnse this to a single statement as follows:
>
>access-list 101 tcp permit any 141.120.0.0 0.0.135.255
Why?
Or, to put in other terms, how would you like to find that access
list statement in an undocumented configuration you've just been
asked to troubleshoot?
A good rule of thumb: suspect any mask octet that doesn't have
contiguous bits,
unless you are EXACTLY sure why it's being done:
Subnet Wildcard
------ --------
255 0
254 1
252 3
248 7
240 15
224 31
192 63
128 127
0 255
>
>Will this work?
>For example 141.120.9.2 should not be allowed.
>In binary 141.120.9.2 is 10001101.01111000.00001001.00000010.
>
>My understanding of the steps of how the access-list works is :
>
>1) perform a NOT the mask, which gives in binary
> 11111111.11111111.01111000.00000000
>2) perform an AND between this and the IP address, which gives in
binary
> 10001101.01111000.00001000.00000000
>3) compare the result with the original IP address in the access-list
> the comparison fails
>4) if successful, allow, otherwise drop.
> so the packet is dropped.
>
>Is the above correct?
>I don't have a lab to test this. I would appreciate any help. Thanks.
>
>Nelluri
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
