Farhan,
You need to understand how this works, and the best thing to do is to grap a
pen and a paper and write down the addresses, first in decimal, and then in
binary. Let's try...
The numbers you wish to block here are 224 thru 239:
224 : 1110 0000
225 : 1110 0001
226 : 1110 0010
227 : 1110 0011
228 : 1110 0100
229 : 1110 0101
230 : 1110 0110
231 : 1110 0111
232 : 1110 1000
233 : 1110 1001
234 : 1110 1010
235 : 1110 1011
236 : 1110 1100
237 : 1110 1101
238 : 1110 1110
239 : 1110 1111
As you can see, this is an easy range, since the first four bits are the
same in the entire range, and the last four bits change from 0000 to 1111.
Since the first four bits are the same in the entire range, you can CARE
about them, and NOT CARE about the last four bits. Therefore, the address
must be 1110 0000, or 224 in decimal, and the wildcard mask must be 0000
1111, or 15 in decimal. Remember, in the wildcard mask 0 CARES and 1 DON'T.
You can test this now with any of the values written in decimal and binary
above. Let's take 233 for example.
233 : 1110 1001 (the address trying to get through)
224 : 1110 0000 (the deny address)
15 : 0000 1111 (the deny wildcard)
Since the last four bits of the wildcard are 1's, you can ignore them, and
only concentrate on the 0's, because they are the ones that must match. The
0's represent the first four bits of the address, and as you can see,
address 233 will be stopped by the 224, because the first four bits are the
same in those two values.
Try to write this down on a paper, and try all kind of different addresses
to see what will be permitted, and what will be denied.
The access-list answer to this will be:
ip access-list 1 deny A.B.235.224 0.0.0.15
ip access-list 1 permit any
which is also what TAC told you.
You need to understand this!
Hth,
Ole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ole Drews Jensen
Systems Network Manager
CCNA, MCSE, MCP+I
RWR Enterprises, Inc.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.RouterChief.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEED A JOB ???
http://www.oledrews.com/job
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 26, 2001 2:44 AM
To: 'Ole Drews Jensen'
Cc: '[EMAIL PROTECTED]'
Subject: RE: access list.. [7:13564]
2nd one permit or deny?
also
http://www.boson.com/promo/guides/ip-access-list.htm
here what tac says
IP Extended Access Lists
Question: I tried to compile an access list which will only allow a certain
IP range access to the proxy server in a subnet. What wild card can I use to
accomplish this task?
IP info: subnet (class b) A.B.235.0 with subnet mask 255.255.255.0. The
proxy
server''s address is A.B.119.100. The address range I want to block the
access
to the proxy is A.B.235.224 to A.B.235.239. I know 255.255.255.230 will give
me
the address range, but just couldn''t figure out the wild card for that.
Answer:
255.255.255.240 will give you the address range for that. To turn this
into an access list mask, just invert the bits in the normal subnet mask.
For example, 255.255.255.240 = 11111111.11111111.11111111.11110000
In the access list mask, this will be: 00000000.00000000.00000000.00001111.
So, the equivalent access list mask in decimal format will be: "0.0.0.15".
Within your access list, to cover this range, you will deny:
A.B.235.224 0.0.0.15
Last Modified: 12-JUN-98
All contents copyright ) 1992--2001 Cisco Systems, Inc. Important Notices
and Privacy Statement.
> -----Original Message-----
> From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, July 25, 2001 11:44 PM
> To: [EMAIL PROTECTED]
> Subject: RE: access list.. [7:13564]
>
>
> I am not sure why this discussion is starting all over a day
> or two after it
> was done, but anyway - your answer is incorrect. Please see
> the explanation
> below (again).
>
> >
>
> Let's take it line by line:
>
>
> ip access-list 1 deny 128.252.240.0 0.0.0.255
>
> Third Octet:
>
> Address 240 1111 0000
> Wildcard 0 0000 0000
>
> Since all bits in the wildcard are 0, they must all match
> with the address,
> so only one address will be included here = 240.
>
>
> ip access-list 1 permit 128.252.240.0 0.0.15.255
>
> Third Octet:
>
> Address 240 1111 0000
> Wildcard 15 0000 1111
>
> Here the first four bits in the wildcard are 0, so they must
> match. The last
> four bits are 1, so they don't care. So, you will have from
> 1111 0000 thru
> 1111 1111 or 240 to 255.
>
>
> ip access-list 1 deny 128.252.0.0 0.0.255.255
>
> Third Octet:
>
> Address 0 0000 0000
> Wildcard 255 1111 1111
>
> None of the wildcard bits are 0, so this whole value don't
> care. It can be
> from 0 to 255.
>
>
> ip access-list 1 permit any
>
>
> What is important here, is that an access-list is read from
> the top and down
> until a match is found, and THEN IT EXITS. So if it meats a
> match, it will
> not check the rest of the list.
>
> Let's try to run this list with 0 thru 255.
>
> In the first line, 240 is denied. Now we have 0 thru 239 and
> 241 thru 255
> left.
>
> In the second line, 241 thru 255 is permitted. Now we have 0
> thru 239 left.
>
> In the third line, 0 thru 239 is denied. We have none left.
>
> Hth,
>
> Ole
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Ole Drews Jensen
> Systems Network Manager
> CCNA, MCSE, MCP+I
> RWR Enterprises, Inc.
> [EMAIL PROTECTED]
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> http://www.RouterChief.com
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> NEED A JOB ???
> http://www.oledrews.com/job
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> -----Original Message-----
> From: Jeremy Wright [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, July 25, 2001 2:06 PM
> To: [EMAIL PROTECTED]
> Subject: Re: access list.. [7:13564]
>
>
> deny range 128.252.0.0-128.252.240.0
> permit all others
>
> access-list 1 deny 128.252.0.0 0.0.240.255
> access-list 1 permit any
>
>
> ----- Original Message -----
> From: Farhan Ahmed
> To:
> Sent: Wednesday, July 25, 2001 1:35 PM
> Subject: RE: access list.. [7:13564]
>
>
> > solution2; will permit 1-240 range and the deny statement
> will deny the
> rest
> > thats opposite....
> >
> > to get a wild mask
> > we put higher minus lower
> >
> > 255.255.255.255
> > 255.255.240. 0
> > 0 0 15 255
> >
> > so the router will permit 1-240 instead....
> >
> > -----Original Message-----
> > From: Hire, Ejay [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, July 25, 2001 9:22 PM
> > To: 'Farhan Ahmed'; [EMAIL PROTECTED]
> > Subject: RE: access list.. [7:13564]
> >
> >
> > Objective:
> > Create an Access list to block the source address range
> 128.252.0.0 to
> > 128.252.240.0
> >
> > Solution 1:
> > access-list 1 deny 128.252.0.0 0.0.127.255 Blocks
> 128.252.0-127.0-255
> > access-list 1 deny 128.252.128.0 0.0.63.255 Blocks
> 128.252.128-191.0-255
> > access-list 1 deny 128.252.192.0 0.0.31.255 Blocks
> 128.252.192-223.0-255
> > access-list 1 deny 128.252.224.0 0.0.15.255 Blocks
> 128.252.224-239.0-255
> > access-list 1 permit any Allows all
> other traffic to
> > pass.
> >
> > Solution 2:
> > access-list 1 permit 128.252.240.0 0.0.15.255 Permits
> 128.252.240-255.0-255
> > access-list 1 deny 128.252.0.0 0.0.255.255 Denies traffic
> from 128.252
> that
> > is not permitted by the previous line
> > access-list 1 permit any
> >
> > Notes:
> > Both Solutions work, but solution 2 has less lines and will
> result in less
> > processor utilization in most scenarios.
> >
> > -Ejay
> >
> >
> >
> > -----Original Message-----
> > From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, July 24, 2001 2:29 PM
> > To: [EMAIL PROTECTED]
> > Subject: access list.. [7:13564]
> >
> >
> > What mask would be used if you want to create an
> > access list where the IP addresses (128.252.0.0 to
> > 128.252.240.0) would be blocked
> > pls support with explanation,
> >
> > [GroupStudy.com removed an attachment of type
> application/octet-stream
> which
> > had a name of Farhan Ahmed.vcf]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13868&t=13564
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
