I am not sure why this discussion is starting all over a day or two after it
was done, but anyway - your answer is incorrect. Please see the explanation
below (again).
>
Let's take it line by line:
ip access-list 1 deny 128.252.240.0 0.0.0.255
Third Octet:
Address 240 1111 0000
Wildcard 0 0000 0000
Since all bits in the wildcard are 0, they must all match with the address,
so only one address will be included here = 240.
ip access-list 1 permit 128.252.240.0 0.0.15.255
Third Octet:
Address 240 1111 0000
Wildcard 15 0000 1111
Here the first four bits in the wildcard are 0, so they must match. The last
four bits are 1, so they don't care. So, you will have from 1111 0000 thru
1111 1111 or 240 to 255.
ip access-list 1 deny 128.252.0.0 0.0.255.255
Third Octet:
Address 0 0000 0000
Wildcard 255 1111 1111
None of the wildcard bits are 0, so this whole value don't care. It can be
from 0 to 255.
ip access-list 1 permit any
What is important here, is that an access-list is read from the top and down
until a match is found, and THEN IT EXITS. So if it meats a match, it will
not check the rest of the list.
Let's try to run this list with 0 thru 255.
In the first line, 240 is denied. Now we have 0 thru 239 and 241 thru 255
left.
In the second line, 241 thru 255 is permitted. Now we have 0 thru 239 left.
In the third line, 0 thru 239 is denied. We have none left.
Hth,
Ole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ole Drews Jensen
Systems Network Manager
CCNA, MCSE, MCP+I
RWR Enterprises, Inc.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.RouterChief.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEED A JOB ???
http://www.oledrews.com/job
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Jeremy Wright [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 2:06 PM
To: [EMAIL PROTECTED]
Subject: Re: access list.. [7:13564]
deny range 128.252.0.0-128.252.240.0
permit all others
access-list 1 deny 128.252.0.0 0.0.240.255
access-list 1 permit any
----- Original Message -----
From: Farhan Ahmed
To:
Sent: Wednesday, July 25, 2001 1:35 PM
Subject: RE: access list.. [7:13564]
> solution2; will permit 1-240 range and the deny statement will deny the
rest
> thats opposite....
>
> to get a wild mask
> we put higher minus lower
>
> 255.255.255.255
> 255.255.240. 0
> 0 0 15 255
>
> so the router will permit 1-240 instead....
>
> -----Original Message-----
> From: Hire, Ejay [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, July 25, 2001 9:22 PM
> To: 'Farhan Ahmed'; [EMAIL PROTECTED]
> Subject: RE: access list.. [7:13564]
>
>
> Objective:
> Create an Access list to block the source address range 128.252.0.0 to
> 128.252.240.0
>
> Solution 1:
> access-list 1 deny 128.252.0.0 0.0.127.255 Blocks 128.252.0-127.0-255
> access-list 1 deny 128.252.128.0 0.0.63.255 Blocks 128.252.128-191.0-255
> access-list 1 deny 128.252.192.0 0.0.31.255 Blocks 128.252.192-223.0-255
> access-list 1 deny 128.252.224.0 0.0.15.255 Blocks 128.252.224-239.0-255
> access-list 1 permit any Allows all other traffic to
> pass.
>
> Solution 2:
> access-list 1 permit 128.252.240.0 0.0.15.255 Permits
128.252.240-255.0-255
> access-list 1 deny 128.252.0.0 0.0.255.255 Denies traffic from 128.252
that
> is not permitted by the previous line
> access-list 1 permit any
>
> Notes:
> Both Solutions work, but solution 2 has less lines and will result in less
> processor utilization in most scenarios.
>
> -Ejay
>
>
>
> -----Original Message-----
> From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 24, 2001 2:29 PM
> To: [EMAIL PROTECTED]
> Subject: access list.. [7:13564]
>
>
> What mask would be used if you want to create an
> access list where the IP addresses (128.252.0.0 to
> 128.252.240.0) would be blocked
> pls support with explanation,
>
> [GroupStudy.com removed an attachment of type application/octet-stream
which
> had a name of Farhan Ahmed.vcf]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13803&t=13564
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
