Ahem. Other than the fact that I'm flaming _myself_ for having inversed my
wildcards (oops), I'd just like to clarify something small...
The wildcard is NOT the same as an inverse netmask. It's much more flexible.
The wildcard looks at your expression (the IP address in the ACL) and the
target (the IP address in the packet under scrutiny) and then, for all the
ZEROs in the wildcard, that bit must be the SAME as in the expression. For
all the ONEs, that bit can float.
This can let you construct some weird and wonderful access lists. Say you
use 10.x.x.x and all your routers are .254 in their /24 subnet - you can
allow ALL your routers to send RIP to your main router with this compact
line:
permit udp 10.0.0.254 0.0.255.0 host 172.16.1.254 eq rip
This permits 10.0.x.254 but no other addresses.
You can get even wierder if you like, by using wildcards that have
non-contiguous 1 bits, but I'll leave that as an exercise to the deranged
reader with too much time to hand-figure binary.
So, for example, 90.0.0.0 through to 90.0.0.31 _can_ be collected in one
statement.
> -----Original Message-----
> From: Ben Nagy [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 5 January 2000 2:46 PM
> To: 'Gerardo Soto'; [EMAIL PROTECTED]
> Subject: RE: Cisco ACL command
[snip]
>
> What you want to do looks like this (slack way)
>
> access-list 199 permit ip host 90.0.0.1 90.0.0.1 255.255.255.224
No, you moron. It's 0.0.0.31, not 255.255.255.224. THAT wildcard permits a
weird clump of IP addresses - _any_ IP address with 1 as the last octet.
Could be useful - just not in this case. 8)
>
> Which allows it to talk to any hosts 90.0.0.1 through to 90.0.0.31.
>
> The non slack way is to do prepend lines like this
> access-list 199 deny ip host 90.0.0.1 90.0.0.1 255.255.255.252
That's actually the same as the last moron mask - still permits x.x.x.1.
Should read 0.0.0.3
> (this strips 90.0.0.1,2 and 3)
> [ditto] host 90.0.0.4
> [ditto] host 90.0.0.31
>
> I might have some off by one errors there somewhere,
Or possibly I was in the throes of a mild stroke at the time of writing...
> so check
> this around
> the borders before you run it on a production system - this
> is off the top
> of my head.
As should be obvious.
[snip]
>
> --
> Ben Nagy
> Drug Crazed Lunatic, CPM&S Group of Companies
> PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
