Paul,
You need to understand the wildcard format for access-lists. The best way to
do this is to convert your ip addresses to binary.
The beginning range address is 192.168.1.10
The ending range address is 192.168.1.15
We can quickly see that the first three octets are the same, so lets
concentrate on the fourth.
Range is:
10 : 0000 1010
11 : 0000 1011
12 : 0000 1100
13 : 0000 1101
14 : 0000 1110
15 : 0000 1111
As you can see, the left five bits stays the same, so you have to tell the
access-list not to care about the right three bits.
In a wildcard mask, the 0's represent that the bit value MUST be as
specified, and the 1's represent that is doesn't care about the bit value.
So we must create a wildcard for the fourth octet that looks like this:
0000 0111 = 7
As for the first three octets, they must all match, so that's easy: 0.0.0
Now you have a wildcard mask that looks like this: 0.0.0.7
Since the left five bits were the same for range 10-15, lets take those five
bits 00001 and fill zero's to the right 000 = 0000 1000 or 8. That's the
value we want to use for the fourth octet in the ip address.
And the access-list would look like this:
access-list 110 permit tcp 192.168.1.8 0.0.0.7 ....
The only problem with this, is that this will also allow .8 and .9, so if
you wish to deny those two addresses, you must do some more match:
.8 = 0000 1000
.9 = 0000 1001
As you can see, the only bit that changes is the right one, so if you do a
wildcard octet of:
0000 0001
You can test for that.
Let's correct our access-list statements:
access-list 110 deny tcp 192.168.1.8 0.0.0.1 ......
access-list 110 permit tcp 192.168.1.8 0.0.0.7 ......
As you can see, it's a little tricky to calculate, but once you have it
down, it can be almost a fun little task to do. The best thing to do in the
beginning, is to write the whole address range down in binary and look at
the bits. That way you can see which ones change, and which ones stays the
same. Sometimes you can cut a lot of statements down by looking at the
pattern and creating some good wildcard masks, but that is both good and
bad. It is good because it makes the acecss-list filter faster, but it's bad
because it can be hard to read the next time you need to reconfigure
something.
Hth,
Ole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ole Drews Jensen
Systems Network Manager
CCNP, MCSE, MCP+I
RWR Enterprises, Inc.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.RouterChief.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Need a Job?
http://www.OleDrews.com/job
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: r Paul [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 3:12 AM
To: [EMAIL PROTECTED]
Subject: Help with extended access lists [7:40904]
Hello wondered if anyone can explain.
I have extended access lists working fine.
I have a few blocks of ip address I want to add to list and they are not all
consequtive. What I want to do is use the minimum entry to cover each block.
i.e
Say I had several like this 192.168.1.10 to 15 etc etc
I want to make a single entry for every consequtive block. I do not own the
whole range or subnet. Can I do something like this.
access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www
What I am wanting to clarify is if I have the wildard bit right. In above
example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to
15)...have I understood this right?. do not want to match whole subnet with
0.0.0.255 but that is the only other examples I have seen.
Many thanks
Paul
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40913&t=40904
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
