Help with extended access lists [7:40904]
Hello wondered if anyone can explain. I have extended access lists working fine. I have a few blocks of ip address I want to add to list and they are not all consequtive. What I want to do is use the minimum entry to cover each block. i.e Say I had several like this 192.168.1.10 to 15 etc etc I want to make a single entry for every consequtive block. I do not own the whole range or subnet. Can I do something like this. access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www What I am wanting to clarify is if I have the wildard bit right. In above example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to 15)...have I understood this right?. do not want to match whole subnet with 0.0.0.255 but that is the only other examples I have seen. Many thanks Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40904&t=40904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help with extended access lists [7:40904]
Hi, The one which you mentioned is not the right one, A simple technique to get the Inverse mask is as 1.From you example let say you want to aggregate 192.168.1.10 to 192.168.1.15,First of all aggregate this addresses and find the summarized mask. The summarized mask in this case is 192.168.8/29 (ie 255.255.255.248) 2.To get the inverse mask subtract 255.255.255.248 from 255.255.255.255 which comes out 0.0.0.7 3.The result is 192.168.1.8 0.0.0.7 Kind Regards /Thangavel -- CCIE (qual),CCS,CCDP,CCNP,MCSE 186K Reading,Brkshire Direct No -0118 9064259 Mobile No -07796292416 Post code: RG16LH www.186k.co.uk -- The greatest glory in living lies not in never falling, but in rising every time we fall ." -- Nelson Mandela "r Paul" cc: Sent by: Fax to: nobody@groups Subject: Help with extended access lists [7:40904] tudy.com 09/04/2002 10:12 Please respond to "r Paul" Hello wondered if anyone can explain. I have extended access lists working fine. I have a few blocks of ip address I want to add to list and they are not all consequtive. What I want to do is use the minimum entry to cover each block. i.e Say I had several like this 192.168.1.10 to 15 etc etc I want to make a single entry for every consequtive block. I do not own the whole range or subnet. Can I do something like this. access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www What I am wanting to clarify is if I have the wildard bit right. In above example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to 15)...have I understood this right?. do not want to match whole subnet with 0.0.0.255 but that is the only other examples I have seen. Many thanks Paul ** This e-mail is from 186k Ltd and is intended only for the addressee named above. As this e-mail may contain confidential or priveleged information, if you are not the named addressee or the person responsible for delivering the message to the named addressee, please advise the sender by return e-mail. The contents should not be disclosed to any other person nor copies taken. 186k Ltd is a Lattice Group company, registered in England & Wales No. 3751494 Registered Office 130 Jermyn Street London SW1Y 4UR ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40905&t=40904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help with extended access lists [7:40904]
Thangavel What a great method - Thank you Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40907&t=40904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help with extended access lists [7:40904]
Paul, You need to understand the wildcard format for access-lists. The best way to do this is to convert your ip addresses to binary. The beginning range address is 192.168.1.10 The ending range address is 192.168.1.15 We can quickly see that the first three octets are the same, so lets concentrate on the fourth. Range is: 10 : 1010 11 : 1011 12 : 1100 13 : 1101 14 : 1110 15 : As you can see, the left five bits stays the same, so you have to tell the access-list not to care about the right three bits. In a wildcard mask, the 0's represent that the bit value MUST be as specified, and the 1's represent that is doesn't care about the bit value. So we must create a wildcard for the fourth octet that looks like this: 0111 = 7 As for the first three octets, they must all match, so that's easy: 0.0.0 Now you have a wildcard mask that looks like this: 0.0.0.7 Since the left five bits were the same for range 10-15, lets take those five bits 1 and fill zero's to the right 000 = 1000 or 8. That's the value we want to use for the fourth octet in the ip address. And the access-list would look like this: access-list 110 permit tcp 192.168.1.8 0.0.0.7 The only problem with this, is that this will also allow .8 and .9, so if you wish to deny those two addresses, you must do some more match: .8 = 1000 .9 = 1001 As you can see, the only bit that changes is the right one, so if you do a wildcard octet of: 0001 You can test for that. Let's correct our access-list statements: access-list 110 deny tcp 192.168.1.8 0.0.0.1 .. access-list 110 permit tcp 192.168.1.8 0.0.0.7 .. As you can see, it's a little tricky to calculate, but once you have it down, it can be almost a fun little task to do. The best thing to do in the beginning, is to write the whole address range down in binary and look at the bits. That way you can see which ones change, and which ones stays the same. Sometimes you can cut a lot of statements down by looking at the pattern and creating some good wildcard masks, but that is both good and bad. It is good because it makes the acecss-list filter faster, but it's bad because it can be hard to read the next time you need to reconfigure something. Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: r Paul [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 3:12 AM To: [EMAIL PROTECTED] Subject: Help with extended access lists [7:40904] Hello wondered if anyone can explain. I have extended access lists working fine. I have a few blocks of ip address I want to add to list and they are not all consequtive. What I want to do is use the minimum entry to cover each block. i.e Say I had several like this 192.168.1.10 to 15 etc etc I want to make a single entry for every consequtive block. I do not own the whole range or subnet. Can I do something like this. access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www What I am wanting to clarify is if I have the wildard bit right. In above example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to 15)...have I understood this right?. do not want to match whole subnet with 0.0.0.255 but that is the only other examples I have seen. Many thanks Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40913&t=40904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
