Let's take it line by line:
ip access-list 1 deny 128.252.240.0 0.0.0.255
Third Octet:
Address 240 1111 0000
Wildcard 0 0000 0000
Since all bits in the wildcard are 0, they must all match with the address,
so only one address will be included here = 240.
ip access-list 1 permit 128.252.240.0 0.0.15.255
Third Octet:
Address 240 1111 0000
Wildcard 15 0000 1111
Here the first four bits in the wildcard are 0, so they must match. The last
four bits are 1, so they don't care. So, you will have from 1111 0000 thru
1111 1111 or 240 to 255.
ip access-list 1 deny 128.252.0.0 0.0.255.255
Third Octet:
Address 0 0000 0000
Wildcard 255 1111 1111
None of the wildcard bits are 0, so this whole value don't care. It can be
from 0 to 255.
ip access-list 1 permit any
What is important here, is that an access-list is read from the top and down
until a match is found, and THEN IT EXITS. So if it meats a match, it will
not check the rest of the list.
Let's try to run this list with 0 thru 255.
In the first line, 240 is denied. Now we have 0 thru 239 and 241 thru 255
left.
In the second line, 241 thru 255 is permitted. Now we have 0 thru 239 left.
In the third line, 0 thru 239 is denied. We have none left.
Hth,
Ole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ole Drews Jensen
Systems Network Manager
CCNA, MCSE, MCP+I
RWR Enterprises, Inc.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.RouterChief.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEED A JOB ???
http://www.oledrews.com/job
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 4:49 PM
To: 'Ole Drews Jensen'
Subject: RE: access list.. [7:13564]
pls say something abt how to get wild mask 4 access list
-----Original Message-----
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 1:46 AM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]
Oops, I made an error - sorry.
It should be:
ip access-list 101 deny 128.252.240.0 0.0.0.255
ip access-list 101 permit 128.252.240.0 0.0.15.255
ip access-list 101 deny 128.252.0.0 0.0.255.255
ip access-list 101 permit any
Line 1 would block .240
Line 2 would allow .240 thru .255
Line 3 would block .0 thru .255
Line 4 would allow the rest
Hth,
Ole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ole Drews Jensen
Systems Network Manager
CCNA, MCSE, MCP+I
RWR Enterprises, Inc.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.RouterChief.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEED A JOB ???
http://www.oledrews.com/job
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 4:33 PM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]
Wouldn't the right answer be this:
ip access-list 101 deny 128.252.240.0 0.0.0.255
ip access-list 101 permit 128.252.240.0 0.0.240.255
ip access-list 101 deny 128.252.0.0 0.0.255.255
ip access-list 101 permit any
Line 1 would block .240
Line 2 would allow .240 thru .255
Line 3 would block .0 thru .255
Line 4 would allow the rest
Hth,
Ole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ole Drews Jensen
Systems Network Manager
CCNA, MCSE, MCP+I
RWR Enterprises, Inc.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.RouterChief.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEED A JOB ???
http://www.oledrews.com/job
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Ayers, Michael [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 4:06 PM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]
Only problem, your scenario should be too block all from 0 to 239 to make an
easy solution.
-----Original Message-----
From: Ayers, Michael
Sent: Tuesday, July 24, 2001 1:40 PM
To: 'Farhan Ahmed'; Ayers, Michael; [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]
0.0.15.255 = 00000000 00000000 00001111 11111111
I only care what the first 20 bits are. So 128.252 are 16 bits, we can
ignore them (they match visually). The last octet is all 1, so we can
ignore that also don't care.
We also don't care what the last 4 bits are, so we do care what the first 4
are. If we use 128.252.240.0,
we get 10000000 11111100 11110000 0000000 in binary.
We only want to focus on the 3rd octet 11110000.
SO
CARE Don't Care Decimal Number
1111 0000 240
1111 0001 241
1111 0010 242
1111 0011 243
1111 0100 244
1111 0101 245
1111 0110 246
1111 0111 247
1111 1000 248
1111 1001 249
1111 1010 250
1111 1011 251
1111 1100 252
1111 1101 253
1111 1110 254
1111 1111 255
-----Original Message-----
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 1:35 PM
To: 'Ayers, Michael'; [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]
should be 0.0.15.255
but how?
-----Original Message-----
From: Ayers, Michael [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 12:27 AM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]
Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255
128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all
of the class b
Thank You,
Michael Ayers
Network Engineer
> OneNeck IT Services
(480) 539-2203
(800) 272-3077
-----Original Message-----
From: MikeN [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 12:49 PM
To: [EMAIL PROTECTED]
Subject: Re: access list.. [7:13564]
Okay...... default masks meaning classful class B.
128.252.0.0 with a subnet mask of 255.255.0.0
and
128.252.240.0 with a subnet mask of 255.255.0.0
On a router you would use the wildcard mask (inverse) of the subnet mask:
access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255
access-list 101 permit ip any any
Then apply it to the interface with ip access-group 101 in or out depending
on what interface it is applied to.
It is easy to envision what the wildcard mask is and what it does if we view
the decimal numbers in binary format:
wildcard mask 0.0.255.255 = 00000000.00000000.11111111.11111111
0's = interesting part of the address is to the router; 1's = portion of
address the router isn't going to care about....this portion of the accress
could be any number.
If you list the ip address in binary above the wildcard mask, it looks like
this:
128 . 252 . 0 . 0
10000000.11111100.00000000.00000000
00000000.00000000.11111111.11111111
0 . 0 . 252 . 252
The router will only view the portion of the address NOT blocked by 1's as
interesting: 128.252.x.x
You will need to grasp this concept before moving on to subnetting and
supernetting.
There are some excellent explanations for how this works in the Cisco Press
CCNA books.
To confirm, this is for routers and not the PIX ACLs.
HTH
MikeN
""Farhan Ahmed"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> What mask would be used if you want to create an
> access list where the IP addresses (128.252.0.0 to
> 128.252.240.0) would be blocked
> pls support with explanation,
Privileged/Confidential Information may be contained in this message or
attachments hereto. Please advise immediately if you or your employer do
not consent to Internet email for messages of this kind. Opinions,
conclusions and other information in this message that do not relate to the
official business of this company shall be understood as neither given nor
endorsed by it.
Privileged/Confidential Information may be contained in this message or
attachments hereto. Please advise immediately if you or your employer do
not consent to Internet email for messages of this kind. Opinions,
conclusions and other information in this message that do not relate to the
official business of this company shall be understood as neither given nor
endorsed by it.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13635&t=13564
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
