Robert Edmonds wrote: > > Couldn't you just use the wildcard mask 0.0.4.255 to deny > 192.17.73.0 - > 192.17.77.0? I used the Boson wildcard mask calculator to > check this, and > it gave me those networks.
If the mask is 0.0.4.255, it will deny 192.17.73.0 as well as 192.17.77.0. However, it won't deny the networks in between. Let's say you used access-list 11 deny 192.17.73.0 0.0.4.255 73 is 0100 1001 77 is 0100 1101 They differ in the 2^2 position, 4 in decimal. So that's where you'll want a wildcard (don't-care) bit value in the mask, in other words 1. So the mask for that part is 0000 0100 in binary or 4 in decimal if you just want those two networks. If you use zeros (must match) for all the other bits, you won't get 74, 75, or 76. 74 is 0100 1010 73 is 0100 1001 Notice that they don't match in the 2^0 or 1 position, but if you use 0 in the mask in that posision, they must match. 75 is 0100 1011 73 is 0100 1001 Notice that they don't match in the 2^1 or 2 position, but if you use 0 in the mask in that position, they must match. 76 is 0100 1100 73 is 0100 1001 Notice that they don't match in the 2^2 or 2^0 positions, but if you use 0 in the mask in those positions, they must match. So, 74, 75, and 76 fall through. If you don't explicity accept them, then they will be denied by the implicit deny all, but they aren't denied by your deny 192.17.73.0 0.0.4.255 statement. By now, I can't remember if you wanted to deny them or not!? But if you do, just throw some ones in the correct position instead of zeros so those networks match too. So use 00000111 or 7. deny 192.17.73.0 0.0.7.255 Notice that this denies 72 too. That can't be helped. 72 is 0100 1000 73 is 0100 1001 They match up to the last bit. But you have to say you don't care about that bit in order to get 75! So, in conclusion (finally) use this to deny 72-77: deny 192.17.72.0 0.0.7.255 Sorry for any typos! I can't decide if I should use reading glasses or not with my new flat-screen monitor which has lots of blurry lines no matter what I do. Seriously, that is my excuse. That and hunger. Off to lunch! Priscilla > > ""Andrew Larkins"" wrote in > message > news:[EMAIL PROTECTED] > > the first access-list will not work. > > The second one will also deny networks 192.17.72.0 and 78.0 > as well as > 79.0 > > - > > You are correct about zeros must make at 1's are don't care, > but you need > to > > understand the basic of subnetting. A 248.0 subnet mask means > 8 "Class C" > > subnets. You have to start at a valid network address which > in this case > is > > 192.17.72.0 > > > > Router(config)#access-list 11 deny 192.17.73.0 0.0.7.255 > > Router#sho access-list 11 > > Standard IP access list 11 > > deny 192.17.72.0, wildcard bits 0.0.7.255 > > > > > > Notice that it fixes your mistake for you. > > > > Regards > > > > Andrew > > CCNP, CCDP, CSS1 > > > > -----Original Message----- > > From: Jason Steig [mailto:[EMAIL PROTECTED] > > Sent: 25 February 2003 16:26 > > To: [EMAIL PROTECTED] > > Subject: new access list problem [7:63715] > > > > > > Hello i networks 192.17.73.0 - 192.17.77.0 > > > > is there anyway to deny these networks with one entry in an > access list? > > > > > > such as deny 192.17.73.0 0.0.248.255? > > > > is this going to deny these networks? it's also going to > black hole > several > > other networks though. Or does the list have to be > > > > deny 192.17.73.0 0.0.7.255 ? > > > > i thought zeros must match and ones we don't care. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63774&t=63715 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
