These examples are the same except for the prefix length of the permit statement:
access-list 100 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 access-list 100 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0 access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 in each, only a single route (/16 in 1st eg and /24 in 2nd eg) is being permitted and all other VLSM subnets under the /16 are being denied. Since the wildcard mask bits in the second octets are set to 1, any subnet/mask combo under the /16 will match and be denied. I don't have any sort of training experience so perhaps someone can break it down better??? Charles -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Hunt Lee Sent: Thursday, June 27, 2002 6:57 PM To: [EMAIL PROTECTED] Subject: Re: Neighbor distribute-list command w/ Extended ACL [7:47272] Hello Charles, Sorry to do this to you, but I still have one more e.g. that I'm not too sure (I found this on CCO) :( access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0 In this line, I understand that since the wildcard mask for both network & mask are 0.0.0.0, it means that it will permit only 131.108.0.0 /24 access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 And in this line which is what I'm confused abt, I thought that on network, it will deny 131.108.0.1 to 131.108.255.254, while the prefix being deny is between /16 - /32. However, Cisco CCO said it will permit route 131.108.0/24 (which I understand), ... but deny 131.108/16 and all other subents of 131.108.0.0 Thanks for your help again. Best Regards, Hunt Lee ""Charles D Hammonds"" wrote in message news:[EMAIL PROTECTED]... > Hunt- > > > access-list 100 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 > > Remember that the wildcard mask is used to define which bits of the network > and mask fields to ignore. These bits are set to '1'. So, in this example, > the last 2 octets in both the src(network) and dest(mask) fields are ignored > as all the bits in these octets are set to 1. Only the first 2 octets are > compared so that any subnet/mask combo beneath the /16 will be denied. > > Hope this helps. > > Regards, > Charles > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Hunt Lee > Sent: Tuesday, June 25, 2002 4:58 PM > To: [EMAIL PROTECTED] > Subject: Re: Neighbor distribute-list command w/ Extended ACL [7:47272] > > > Hi Charles, > > Thanks so much for your explanation. I understand your first eg., but I'm > still confused how you get to the answer to the 2nd e.g., can you please > elaborate a bit more on the steps for the 2nd e.g.?? > > Thanks for your help again. > > Best Regards, > Hunt Lee > > > ""Charles D Hammonds"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > The statement > > > > access-list 100 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 > > > > could also be re-written as: > > > > access-list 100 permit ip host 192.108.0.0 host 255.255.0.0 > > > > which means that only the aggregate /16 will be accepted. > > > > The second statement: > > > > access-list 100 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 > > > > denies the VLSM networks under the /16. > > > > > > Charles > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > Dain Deutschman > > Sent: Sunday, June 23, 2002 9:05 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Neighbor distribute-list command w/ Extended ACL [7:47272] > > > > > > It's kind of wierd. The source portion of the access list defines the > > network whose updates are permited/denied...no suprise...the wierd part is > > that the destination portion specifies the subnet mask of that network. > So, > > in your example; > > > > access-list 100 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 > > ( 192.108.0.0 [wildcard] 0.0.0.0 [subnet mask] 255.255.0.0 [wildcard] > > 0.0.0.0) > > ( 192.108.0.0/16 will be advertised ) > > > > Maybe someone else can jump in...because the wildcard is 0.0.0.0 does it > > mean that any other VLSM networks under the 192.108.0.0/16 supernet would > > also be advertised? > > > > access-list 100 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 > > ( 192.108.0.0 [wildcard] 0.0.255.255 [ subnet mask ] 255.255.0.0 > [wildcard ] > > 0.0.255.255) > > (192.108.0.0/16 would be denied...the last two octets are ignored ) > > > > I'm new to all this and learning it myself...so please...someone correct > me > > if I am wrong or add to my comments. Thanks. Dain. > > ""Hunt Lee"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hi all, > > > > > > Can anyone please explain this to me?? I have read some examples > regarding > > > neighbor x.x.x.x distribute-list in | out using extended Access-List > > > from CCO, Internet Routing Arch (by Halabi) & BGP 4 Command & Reference > > (by > > > Parkhurst), yet I'm still very confused. > > > > > > Below is one of them > > > > > > neighbor 120.23.4.1 distribute-list 100 in > > > > > > access-list 100 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 > > > > > > access-list 100 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 > > > > > > > > > > > > How do you read these things?? Any help will be greatly appreciated. > > > > > > Thanks, > > > > > > Hunt Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47987&t=47272 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]