we wanted to block till 240
1-240
-----Original Message-----
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 1:33 AM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]
Wouldn't the right answer be this:
ip access-list 101 deny 128.252.240.0 0.0.0.255
ip access-list 101 permit 128.252.240.0 0.0.240.255
ip access-list 101 deny 128.252.0.0 0.0.255.255
ip access-list 101 permit any
Line 1 would block .240
Line 2 would allow .240 thru .255
Line 3 would block .0 thru .255
Line 4 would allow the rest
Hth,
Ole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ole Drews Jensen
Systems Network Manager
CCNA, MCSE, MCP+I
RWR Enterprises, Inc.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.RouterChief.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEED A JOB ???
http://www.oledrews.com/job
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Ayers, Michael [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 4:06 PM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]
Only problem, your scenario should be too block all from 0 to 239 to make an
easy solution.
-----Original Message-----
From: Ayers, Michael
Sent: Tuesday, July 24, 2001 1:40 PM
To: 'Farhan Ahmed'; Ayers, Michael; [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]
0.0.15.255 = 00000000 00000000 00001111 11111111
I only care what the first 20 bits are. So 128.252 are 16 bits, we can
ignore them (they match visually). The last octet is all 1, so we can
ignore that also don't care.
We also don't care what the last 4 bits are, so we do care what the first 4
are. If we use 128.252.240.0,
we get 10000000 11111100 11110000 0000000 in binary.
We only want to focus on the 3rd octet 11110000.
SO
CARE Don't Care Decimal Number
1111 0000 240
1111 0001 241
1111 0010 242
1111 0011 243
1111 0100 244
1111 0101 245
1111 0110 246
1111 0111 247
1111 1000 248
1111 1001 249
1111 1010 250
1111 1011 251
1111 1100 252
1111 1101 253
1111 1110 254
1111 1111 255
-----Original Message-----
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 1:35 PM
To: 'Ayers, Michael'; [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]
should be 0.0.15.255
but how?
-----Original Message-----
From: Ayers, Michael [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 12:27 AM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]
Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255
128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all
of the class b
Thank You,
Michael Ayers
Network Engineer
> OneNeck IT Services
(480) 539-2203
(800) 272-3077
-----Original Message-----
From: MikeN [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 12:49 PM
To: [EMAIL PROTECTED]
Subject: Re: access list.. [7:13564]
Okay...... default masks meaning classful class B.
128.252.0.0 with a subnet mask of 255.255.0.0
and
128.252.240.0 with a subnet mask of 255.255.0.0
On a router you would use the wildcard mask (inverse) of the subnet mask:
access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255
access-list 101 permit ip any any
Then apply it to the interface with ip access-group 101 in or out depending
on what interface it is applied to.
It is easy to envision what the wildcard mask is and what it does if we view
the decimal numbers in binary format:
wildcard mask 0.0.255.255 = 00000000.00000000.11111111.11111111
0's = interesting part of the address is to the router; 1's = portion of
address the router isn't going to care about....this portion of the accress
could be any number.
If you list the ip address in binary above the wildcard mask, it looks like
this:
128 . 252 . 0 . 0
10000000.11111100.00000000.00000000
00000000.00000000.11111111.11111111
0 . 0 . 252 . 252
The router will only view the portion of the address NOT blocked by 1's as
interesting: 128.252.x.x
You will need to grasp this concept before moving on to subnetting and
supernetting.
There are some excellent explanations for how this works in the Cisco Press
CCNA books.
To confirm, this is for routers and not the PIX ACLs.
HTH
MikeN
""Farhan Ahmed"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> What mask would be used if you want to create an
> access list where the IP addresses (128.252.0.0 to
> 128.252.240.0) would be blocked
> pls support with explanation,
Privileged/Confidential Information may be contained in this message or
attachments hereto. Please advise immediately if you or your employer do
not consent to Internet email for messages of this kind. Opinions,
conclusions and other information in this message that do not relate to the
official business of this company shall be understood as neither given nor
endorsed by it.
Privileged/Confidential Information may be contained in this message or
attachments hereto. Please advise immediately if you or your employer do
not consent to Internet email for messages of this kind. Opinions,
conclusions and other information in this message that do not relate to the
official business of this company shall be understood as neither given nor
endorsed by it.
[GroupStudy.com removed an attachment of type application/octet-stream which
had a name of Farhan Ahmed.vcf]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13627&t=13564
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
