Re: Basic ACL Q [7:39334]

Sun, 24 Mar 2002 05:39:54 -0800 

you want to block 172.16-31.0.0

16    0001 0000
17    0001 0001
18    0001 0010
19    0001 0011
20    0001 0100
21    0001 0101
22    0001 0110
23    0001 0111
24    0001 1000
25    0001 1001
26    0001 1010
27    0001 1011
28    0001 1100
29    0001 1101
30    0001 1110
31    0001 1111

from that you notice that the first 4 bits of the second octet never
changes- they always are 0001. Those are the bits you do not want to touch.
Those are the "Care bits". The last four bits of the second octet are the
ones that are changing- Those bits could be either 0 or 1. It does not
matter. They are the "don't care bits".
The "don't care bits" in wildcard mask are replaced by ones. The "care bits"
are replaced by zeroes.

You want the first octect to be 172 and nothing else - you are caring
You want the first four bits of the second octet to be 0001 and nothing
else - you are caring about those first four bits.
You allow the last four bits of the second octet to either take the value 1
or 0 - you are not caring about their values
You are not caring about the third octet
You are not caring about the fourth octet


now the wildcard mask should be: 0000 0000    0000 1111   1111 1111   1111
1111
                                                            0
15               255             255


You have 172.16.0.0    0.15.255.255

To verify if your mask is working accordingly you OR the two values. it
gives

1010 1100   0001 0000  0000 0000   0000 0000        (172.16.0.0)
0000 0000   0000 1111  1111 1111   1111 1111        (0.15.255.255)

1010 1100   0001 1111  1111 1111   1111 1111        (172.31.255.255)


Now you test for example 172.20.0.0. OR  this value with the wildcard mask

1010 1100   0001 0100  0000 0000   0000 0000        (172.20.0.0)
0000 0000   0000 1111  1111 1111   1111 1111        (0.15.255.255)

1010 1100   0001 1111  1111 1111   1111 1111        (172.31.255.255)

This is the same value. You could repeat the operation with any values in yo
u range and it will always give you the same (172.31.255.255) when ORed with
the wildcard mask.

Finally you should have:

access-list 90 deny 172.16.0.0 0.15.255.255
access-list 90 permit any











""IT Guy""  a icrit dans le message news:
[EMAIL PROTECTED]
> Hi everyone,
>
> Just wondering how I can block whole range from 172.16.0.0 to
172.31.255.255
> using one ACL??
>
> My guess is  it shoud be ,
>
> access-list 90 permit 172.16.0.0 0.240.255.255  ?? Please comment??
>
>
> Thkx
>
> Tom
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39354&t=39334
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to