Jason Steig wrote: > > so you're saying that my statement > ip access-list 1 permit ip 192.17.73.0 0.191.251.0 will permit > all hosts from network 192.17.73.0 and 192.81.73.0?? > > 17 is 00010001 > 81 is 01010001
You corrected my typo on 81. That's good. :-) > > so the bit it doesn't match on is the 64 bit. so i just have > to switch it around if your saying the ones don't count No, see my second message. You don't have to switch it around. A zero in the access-list mask means a bit in the same position in an address in an incoming (or outgoing) packet must match the bit in the address you specify in the access list. (That's a complicated sentence, but read it again if you don't get it. You must understand it to grapple with Cisco access-list masks that show up everywhere in Cisco IOS.) A one in the access-list mask means that a bit in the same poistion in an address in a packet doesn't need to match the bit in the address you specify in the access list. A bit in the 2^6 position (64 in decimal) could be either one or zero in your example if you want either decimal 17 or 81 to match. So we need to make sure that in the access-list mask we say we don't care which it is, a one or a zero, so we use one in the access-list mask. One means I don't care; it can be either one or zero. But the other bits must match to catch both decimal 17 and 81 and nothing more. So the mask for that part is 01000000 or 64 in decimal. > > so it would be 0.191.251.0 ?? > > becuase if the zeros must match and ones don't count then that > would be it then?? > > or is is 0.192.252.255 becuase the last octet is 255 so it > allows all hosts? Yes if you want all hosts, then you don't care if the bits in that part of the address in a packet are one or zero, so you better use all ones (255 in decimal) in that part of the access-list mask. So, the answer is 0.64.4.255. Absolutely, do NOT use some stupid subnet calculator to do this. :-) You have to work it out in binary and you have to understand access-list masks. By the way, in real networks, we summarize addresses. If you really had to set up an access list that would allow or deny those two disparate networks, you should fire your network designer. In the past we made a big deal out of the need to summarize in order to enhance performance and reduce routing table sizes and update packets. These days, the need to summarize is even more important for security reasons. The last thing you want is to have to spend hours with confused engineers (like me! ;-) trying to figure out access lists. You want the access lists to be simple and easy to get working. If you don't summarize addresses, your access lists can't be simple. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63767&t=63644 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
