Let's see...
You don't care whether bit 16 (or is that 17 :?) is a 0 or a 1, right?
Then the wildcard bit can be 1 :)
A general statement would be:
If you have two otherwise identical ACL statements with
addresses that differ only in one bit position, then you
can combine the ACLs into one with the mask having that
bit position set to 1 (don't care).
You can then iterate the above for more consolidation.
>3) compare the result with the original IP address in the access-list
The actual logical compare that must be done is:
Do the care bits of the ACL address
match the care bits of the processed address.
(obviously :)
So, technically, the ACL address must also be ANDed with the mask
complement, in case the ACL address, as entered, doesn't have all the
don't-care bits set to 0. Of course, this would only be done once, at
initialization, and the value stored.
IIRC, at least stating at some IOS version level, this is being done
automatically for you by IOS when it stores the ACL in the
configuration. Thus, if you typed:
access-list 101 tcp permit any 141.120.128.0 0.0.135.255
it would actually show up via a 'sh run' as
access-list 101 tcp permit any 141.120.0.0 0.0.135.255
I'm not sure about this, though --
I'm sure that someone else will confirm/debunk it.
> the comparison fails
Still correct :)
-------------------------------------------------
Tks | <mailto:[EMAIL PROTECTED]>
BV | <mailto:[EMAIL PROTECTED]>
Sr. Technical Consultant, SBM, A Gates/Arrow Co.
Vox 770-623-3430 11455 Lakefield Dr.
Fax 770-623-3429 Duluth, GA 30097-1511
=================================================
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Nelluri Reddy
Sent: Saturday, March 03, 2001 12:56 PM
To: [EMAIL PROTECTED]
Subject: wildcard in access-list
I have two parts of a large network, the first part using 141.120.0.0
thru 141.120.7.255 and the second part using 141.120.128.0 thru
141.120.135.255. At the router connecting to Internet I want access from
outside limited only to these subnets and not to other addresses used. I
know that the following will work for TCP:
access-list 101 tcp permit any 141.120.0.0 0.0.7.255
access-list 101 tcp permit any 141.120.128.0 0.0.7.255
I want to condesnse this to a single statement as follows:
access-list 101 tcp permit any 141.120.0.0 0.0.135.255
Will this work?
For example 141.120.9.2 should not be allowed.
In binary 141.120.9.2 is 10001101.01111000.00001001.00000010.
My understanding of the steps of how the access-list works is :
1) perform a NOT the mask, which gives in binary
11111111.11111111.01111000.00000000
2) perform an AND between this and the IP address, which gives in binary
10001101.01111000.00001000.00000000
3) compare the result with the original IP address in the access-list
the comparison fails
4) if successful, allow, otherwise drop.
so the packet is dropped.
Is the above correct?
I don't have a lab to test this. I would appreciate any help. Thanks.
Nelluri
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
