Tac Certified Doc
Using Wildcard Masks in Access List Definitions
Question: How do I configure an access list to disallow network 10.90.0.0
255.255.0.0 from accessing 10.80.0.0 255.255.0.0, but allow it to access
others?
I''ve entered the following commands:
access list 101 deny ip 10.90.0.0 255.255.0.0 10.80.0.0 255.255.0.0
access list 101 permit ip any any
int vlan 90
ip access-group 101 out
But when I do a show run, I see the following:
access-list 102 deny ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
access-list 102 permit ip any any
Why does this happen?
Answer:
The problem is that you are using subnet masks rather than wildcard masks
in your access list definition.
A wildcard mask is just the opposite of a subnet mask: each time there is
a binary 1 in a subnet mask, you have to replace it with a 0 to get the
equivalent wildcard mask. In other words, if you have a subnet mask of
255.255.0.0, the equivalent wilcard mask is 0.0.255.255. The same idea
applies
to subnet mask of 255.255.255.252, which becomes 0.0.0.3 as a wildcard mask.
For your access list, you should enter the following lines to your
configuration:
access-list 101 deny ip 10.90.0.0 0.0.255.255 10.80.0.0 0.0.255.255
access-list 101 permit ip any any
Then type sh run to verify that the above lines are unchanged.
Last Modified: 30-NOV-99
All contents copyright ) 1992--2001 Cisco Systems, Inc. Important Notices
and Privacy Statement.
-----Original Message-----
From: fgh [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 12:40 AM
To: [EMAIL PROTECTED]
Subject: Re: access list.. [7:13564]
He wants to block the range 128.252.0.0-128.252.240.0 and permit all else.
access-list 1 deny 128.252.0.0 0.0.240.255
access-list 1 permit any
I have a CCIE and a sniffer instructor sitting next to me and they verified
that the above commands work for blocking the range and permitting
everything else.
----- Original Message -----
From: Ayers, Michael
To: 'fgh' ;
Sent: Tuesday, July 24, 2001 3:04 PM
Subject: RE: access list.. [7:13564]
> That should be 0.0.15.255, but that allows 240, and you have it backwards,
> you need to permit the first line (access-list 1 deny 128.252.0.0
> 0.0.15.255), and then deny the class b , then permit all else
>
> -----Original Message-----
> From: fgh [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 24, 2001 1:02 PM
> To: [EMAIL PROTECTED]
> Subject: Re: access list.. [7:13564]
>
> access-list 1 deny 128.252.0.0 0.0.240.255
> access-list 1 permit any
>
> the 1st line blocks that range and the 2nd line allows all other traffic
>
>
> i think? not positive though
>
>
> ----- Original Message -----
> From: Farhan Ahmed
> To:
> Sent: Tuesday, July 24, 2001 1:28 PM
> Subject: access list.. [7:13564]
>
>
> > What mask would be used if you want to create an
> > access list where the IP addresses (128.252.0.0 to
> > 128.252.240.0) would be blocked
> > pls support with explanation,
> Privileged/Confidential Information may be contained in this message or
> attachments hereto. Please advise immediately if you or your employer do
> not consent to Internet email for messages of this kind. Opinions,
> conclusions and other information in this message that do not relate to
the
> official business of this company shall be understood as neither given nor
> endorsed by it.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13610&t=13564
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
