RE: access list.. [7:13564]
hi ejay.. sunet calc wont calc wild mask or does it? Best Regards -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 26, 2001 12:42 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] No, Solution2 is correct. The objective was to permit x.x.240-255.0-255 per the original message : What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, You can check it with the subnet calculator from B0s0n Software. -ejay -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 2:23 PM To: 'Hire, Ejay'; [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] solution2; will permit 1-240 range and the deny statement will deny the rest thats opposite to get a wild mask we put higher minus lower 255.255.255.255 255.255.240. 0 0 015 255 so the router will permit 1-240 instead -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 9:22 PM To: 'Farhan Ahmed'; [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Objective: Create an Access list to block the source address range 128.252.0.0 to 128.252.240.0 Solution 1: access-list 1 deny 128.252.0.00.0.127.255 Blocks 128.252.0-127.0-255 access-list 1 deny 128.252.128.0 0.0.63.255 Blocks 128.252.128-191.0-255 access-list 1 deny 128.252.192.0 0.0.31.255 Blocks 128.252.192-223.0-255 access-list 1 deny 128.252.224.0 0.0.15.255 Blocks 128.252.224-239.0-255 access-list 1 permit any Allows all other traffic to pass. Solution 2: access-list 1 permit 128.252.240.0 0.0.15.255 Permits 128.252.240-255.0-255 access-list 1 deny 128.252.0.0 0.0.255.255 Denies traffic from 128.252 that is not permitted by the previous line access-list 1 permit any Notes: Both Solutions work, but solution 2 has less lines and will result in less processor utilization in most scenarios. -Ejay -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 2:29 PM To: [EMAIL PROTECTED] Subject: access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, [GroupStudy.com removed an attachment of type application/octet-stream which had a name of Farhan Ahmed.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13835t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
Farhan, You need to understand how this works, and the best thing to do is to grap a pen and a paper and write down the addresses, first in decimal, and then in binary. Let's try... The numbers you wish to block here are 224 thru 239: 224 : 1110 225 : 1110 0001 226 : 1110 0010 227 : 1110 0011 228 : 1110 0100 229 : 1110 0101 230 : 1110 0110 231 : 1110 0111 232 : 1110 1000 233 : 1110 1001 234 : 1110 1010 235 : 1110 1011 236 : 1110 1100 237 : 1110 1101 238 : 1110 1110 239 : 1110 As you can see, this is an easy range, since the first four bits are the same in the entire range, and the last four bits change from to . Since the first four bits are the same in the entire range, you can CARE about them, and NOT CARE about the last four bits. Therefore, the address must be 1110 , or 224 in decimal, and the wildcard mask must be , or 15 in decimal. Remember, in the wildcard mask 0 CARES and 1 DON'T. You can test this now with any of the values written in decimal and binary above. Let's take 233 for example. 233 : 1110 1001 (the address trying to get through) 224 : 1110 (the deny address) 15 : (the deny wildcard) Since the last four bits of the wildcard are 1's, you can ignore them, and only concentrate on the 0's, because they are the ones that must match. The 0's represent the first four bits of the address, and as you can see, address 233 will be stopped by the 224, because the first four bits are the same in those two values. Try to write this down on a paper, and try all kind of different addresses to see what will be permitted, and what will be denied. The access-list answer to this will be: ip access-list 1 deny A.B.235.224 0.0.0.15 ip access-list 1 permit any which is also what TAC told you. You need to understand this! Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 26, 2001 2:44 AM To: 'Ole Drews Jensen' Cc: '[EMAIL PROTECTED]' Subject: RE: access list.. [7:13564] 2nd one permit or deny? also http://www.boson.com/promo/guides/ip-access-list.htm here what tac says IP Extended Access Lists Question: I tried to compile an access list which will only allow a certain IP range access to the proxy server in a subnet. What wild card can I use to accomplish this task? IP info: subnet (class b) A.B.235.0 with subnet mask 255.255.255.0. The proxy server''s address is A.B.119.100. The address range I want to block the access to the proxy is A.B.235.224 to A.B.235.239. I know 255.255.255.230 will give me the address range, but just couldn''t figure out the wild card for that. Answer: 255.255.255.240 will give you the address range for that. To turn this into an access list mask, just invert the bits in the normal subnet mask. For example, 255.255.255.240 = ... In the access list mask, this will be: .... So, the equivalent access list mask in decimal format will be: 0.0.0.15. Within your access list, to cover this range, you will deny: A.B.235.224 0.0.0.15 Last Modified: 12-JUN-98 All contents copyright ) 1992--2001 Cisco Systems, Inc. Important Notices and Privacy Statement. -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 11:44 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] I am not sure why this discussion is starting all over a day or two after it was done, but anyway - your answer is incorrect. Please see the explanation below (again). Let's take it line by line: ip access-list 1 deny 128.252.240.0 0.0.0.255 Third Octet: Address 240 Wildcard0 Since all bits in the wildcard are 0, they must all match with the address, so only one address will be included here = 240. ip access-list 1 permit 128.252.240.0 0.0.15.255 Third Octet: Address 240 Wildcard15 Here the first four bits in the wildcard are 0, so they must match. The last four bits are 1, so they don't care. So, you will have from thru or 240 to 255. ip access-list 1 deny 128.252.0.0 0.0.255.255 Third Octet: Address 0 Wildcard255 None of the wildcard bits are 0, so
RE: access list.. [7:13564]
Create an Access list to block the source address range 128.252.0.0 to 128.252.240.0 Solution 1: access-list 1 deny 128.252.0.00.0.127.255 Blocks 128.252.0-127.0-255 access-list 1 deny 128.252.128.0 0.0.63.255 Blocks 128.252.128-191.0-255 access-list 1 deny 128.252.192.0 0.0.31.255 Blocks 128.252.192-223.0-255 access-list 1 deny 128.252.224.0 0.0.15.255 Blocks 128.252.224-239.0-255 access-list 1 permit any Allows all other traffic to pass. Solution 2: access-list 1 permit 128.252.240.0 0.0.15.255 Permits 128.252.240-255.0-255 access-list 1 deny 128.252.0.0 0.0.255.255 Denies traffic from 128.252 that is not permitted by the previous line access-list 1 permit any Notes: Both Solutions work, but solution 2 has less lines and will result in less processor utilization in most scenarios. -Ejay -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 2:29 PM To: [EMAIL PROTECTED] Subject: access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13784t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
solution2; will permit 1-240 range and the deny statement will deny the rest thats opposite to get a wild mask we put higher minus lower 255.255.255.255 255.255.240. 0 0 015 255 so the router will permit 1-240 instead -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 9:22 PM To: 'Farhan Ahmed'; [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Objective: Create an Access list to block the source address range 128.252.0.0 to 128.252.240.0 Solution 1: access-list 1 deny 128.252.0.00.0.127.255 Blocks 128.252.0-127.0-255 access-list 1 deny 128.252.128.0 0.0.63.255 Blocks 128.252.128-191.0-255 access-list 1 deny 128.252.192.0 0.0.31.255 Blocks 128.252.192-223.0-255 access-list 1 deny 128.252.224.0 0.0.15.255 Blocks 128.252.224-239.0-255 access-list 1 permit any Allows all other traffic to pass. Solution 2: access-list 1 permit 128.252.240.0 0.0.15.255 Permits 128.252.240-255.0-255 access-list 1 deny 128.252.0.0 0.0.255.255 Denies traffic from 128.252 that is not permitted by the previous line access-list 1 permit any Notes: Both Solutions work, but solution 2 has less lines and will result in less processor utilization in most scenarios. -Ejay -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 2:29 PM To: [EMAIL PROTECTED] Subject: access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, [GroupStudy.com removed an attachment of type application/octet-stream which had a name of Farhan Ahmed.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13790t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list.. [7:13564]
deny range 128.252.0.0-128.252.240.0 permit all others access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any - Original Message - From: Farhan Ahmed To: Sent: Wednesday, July 25, 2001 1:35 PM Subject: RE: access list.. [7:13564] solution2; will permit 1-240 range and the deny statement will deny the rest thats opposite to get a wild mask we put higher minus lower 255.255.255.255 255.255.240. 0 0 015 255 so the router will permit 1-240 instead -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 9:22 PM To: 'Farhan Ahmed'; [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Objective: Create an Access list to block the source address range 128.252.0.0 to 128.252.240.0 Solution 1: access-list 1 deny 128.252.0.00.0.127.255 Blocks 128.252.0-127.0-255 access-list 1 deny 128.252.128.0 0.0.63.255 Blocks 128.252.128-191.0-255 access-list 1 deny 128.252.192.0 0.0.31.255 Blocks 128.252.192-223.0-255 access-list 1 deny 128.252.224.0 0.0.15.255 Blocks 128.252.224-239.0-255 access-list 1 permit any Allows all other traffic to pass. Solution 2: access-list 1 permit 128.252.240.0 0.0.15.255 Permits 128.252.240-255.0-255 access-list 1 deny 128.252.0.0 0.0.255.255 Denies traffic from 128.252 that is not permitted by the previous line access-list 1 permit any Notes: Both Solutions work, but solution 2 has less lines and will result in less processor utilization in most scenarios. -Ejay -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 2:29 PM To: [EMAIL PROTECTED] Subject: access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, [GroupStudy.com removed an attachment of type application/octet-stream which had a name of Farhan Ahmed.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13800t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
I am not sure why this discussion is starting all over a day or two after it was done, but anyway - your answer is incorrect. Please see the explanation below (again). Let's take it line by line: ip access-list 1 deny 128.252.240.0 0.0.0.255 Third Octet: Address 240 Wildcard0 Since all bits in the wildcard are 0, they must all match with the address, so only one address will be included here = 240. ip access-list 1 permit 128.252.240.0 0.0.15.255 Third Octet: Address 240 Wildcard15 Here the first four bits in the wildcard are 0, so they must match. The last four bits are 1, so they don't care. So, you will have from thru or 240 to 255. ip access-list 1 deny 128.252.0.0 0.0.255.255 Third Octet: Address 0 Wildcard255 None of the wildcard bits are 0, so this whole value don't care. It can be from 0 to 255. ip access-list 1 permit any What is important here, is that an access-list is read from the top and down until a match is found, and THEN IT EXITS. So if it meats a match, it will not check the rest of the list. Let's try to run this list with 0 thru 255. In the first line, 240 is denied. Now we have 0 thru 239 and 241 thru 255 left. In the second line, 241 thru 255 is permitted. Now we have 0 thru 239 left. In the third line, 0 thru 239 is denied. We have none left. Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Jeremy Wright [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 2:06 PM To: [EMAIL PROTECTED] Subject: Re: access list.. [7:13564] deny range 128.252.0.0-128.252.240.0 permit all others access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any - Original Message - From: Farhan Ahmed To: Sent: Wednesday, July 25, 2001 1:35 PM Subject: RE: access list.. [7:13564] solution2; will permit 1-240 range and the deny statement will deny the rest thats opposite to get a wild mask we put higher minus lower 255.255.255.255 255.255.240. 0 0 015 255 so the router will permit 1-240 instead -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 9:22 PM To: 'Farhan Ahmed'; [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Objective: Create an Access list to block the source address range 128.252.0.0 to 128.252.240.0 Solution 1: access-list 1 deny 128.252.0.00.0.127.255 Blocks 128.252.0-127.0-255 access-list 1 deny 128.252.128.0 0.0.63.255 Blocks 128.252.128-191.0-255 access-list 1 deny 128.252.192.0 0.0.31.255 Blocks 128.252.192-223.0-255 access-list 1 deny 128.252.224.0 0.0.15.255 Blocks 128.252.224-239.0-255 access-list 1 permit any Allows all other traffic to pass. Solution 2: access-list 1 permit 128.252.240.0 0.0.15.255 Permits 128.252.240-255.0-255 access-list 1 deny 128.252.0.0 0.0.255.255 Denies traffic from 128.252 that is not permitted by the previous line access-list 1 permit any Notes: Both Solutions work, but solution 2 has less lines and will result in less processor utilization in most scenarios. -Ejay -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 2:29 PM To: [EMAIL PROTECTED] Subject: access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, [GroupStudy.com removed an attachment of type application/octet-stream which had a name of Farhan Ahmed.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13803t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
No, Solution2 is correct. The objective was to permit x.x.240-255.0-255 per the original message : What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, You can check it with the subnet calculator from B0s0n Software. -ejay -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 2:23 PM To: 'Hire, Ejay'; [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] solution2; will permit 1-240 range and the deny statement will deny the rest thats opposite to get a wild mask we put higher minus lower 255.255.255.255 255.255.240. 0 0 015 255 so the router will permit 1-240 instead -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 9:22 PM To: 'Farhan Ahmed'; [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Objective: Create an Access list to block the source address range 128.252.0.0 to 128.252.240.0 Solution 1: access-list 1 deny 128.252.0.00.0.127.255 Blocks 128.252.0-127.0-255 access-list 1 deny 128.252.128.0 0.0.63.255 Blocks 128.252.128-191.0-255 access-list 1 deny 128.252.192.0 0.0.31.255 Blocks 128.252.192-223.0-255 access-list 1 deny 128.252.224.0 0.0.15.255 Blocks 128.252.224-239.0-255 access-list 1 permit any Allows all other traffic to pass. Solution 2: access-list 1 permit 128.252.240.0 0.0.15.255 Permits 128.252.240-255.0-255 access-list 1 deny 128.252.0.0 0.0.255.255 Denies traffic from 128.252 that is not permitted by the previous line access-list 1 permit any Notes: Both Solutions work, but solution 2 has less lines and will result in less processor utilization in most scenarios. -Ejay -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 2:29 PM To: [EMAIL PROTECTED] Subject: access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13804t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
No, not permit .240 - .255, but .241 to .255, or in other words (numbers) deny .0 to 240. Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 3:42 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] No, Solution2 is correct. The objective was to permit x.x.240-255.0-255 per the original message : What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, You can check it with the subnet calculator from B0s0n Software. -ejay -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 2:23 PM To: 'Hire, Ejay'; [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] solution2; will permit 1-240 range and the deny statement will deny the rest thats opposite to get a wild mask we put higher minus lower 255.255.255.255 255.255.240. 0 0 015 255 so the router will permit 1-240 instead -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 9:22 PM To: 'Farhan Ahmed'; [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Objective: Create an Access list to block the source address range 128.252.0.0 to 128.252.240.0 Solution 1: access-list 1 deny 128.252.0.00.0.127.255 Blocks 128.252.0-127.0-255 access-list 1 deny 128.252.128.0 0.0.63.255 Blocks 128.252.128-191.0-255 access-list 1 deny 128.252.192.0 0.0.31.255 Blocks 128.252.192-223.0-255 access-list 1 deny 128.252.224.0 0.0.15.255 Blocks 128.252.224-239.0-255 access-list 1 permit any Allows all other traffic to pass. Solution 2: access-list 1 permit 128.252.240.0 0.0.15.255 Permits 128.252.240-255.0-255 access-list 1 deny 128.252.0.0 0.0.255.255 Denies traffic from 128.252 that is not permitted by the previous line access-list 1 permit any Notes: Both Solutions work, but solution 2 has less lines and will result in less processor utilization in most scenarios. -Ejay -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 2:29 PM To: [EMAIL PROTECTED] Subject: access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13807t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list.. [7:13564]
To answer this question, we would need to know what the subnet masks are. Thanks, MikeN Farhan Ahmed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13567t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
def mask -Original Message- From: MikeN [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 10:36 PM To: [EMAIL PROTECTED] Subject: Re: access list.. [7:13564] To answer this question, we would need to know what the subnet masks are. Thanks, MikeN Farhan Ahmed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13569t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
That particular combination is not easy with one WC mask, but here are 2 options. Obviously, the less the lines the better. Either Access-list 1 deny 128.252.0.0 0.0.127.255 0-127 Access-list 1 deny 128.252.128.0 0.0.63.255 128-191 Access-list 1 deny 128.252.192.0 0.0.31.255 192-223 Access-list 1 deny 128.252.224.0 0.0.15.255 224-239 Access-list 1 deny 128.252.240.0 0.0.0.255 240 Access-list 1 permit any Or Access-list 1 deny 128.252.240.0 0.0.0.255240 Access-list 1 permit 128.252.240.0 0.0.15.255 240-255 (except the denied 240) Access-list 1 deny 128.252.0.0 0.0.255.2550-255 (except the permitted 241 - 255) Access-list 1 permit any -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 11:29 AM To: [EMAIL PROTECTED] Subject:access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13570t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list.. [7:13564]
Okay.. default masks meaning classful class B. 128.252.0.0 with a subnet mask of 255.255.0.0 and 128.252.240.0 with a subnet mask of 255.255.0.0 On a router you would use the wildcard mask (inverse) of the subnet mask: access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 access-list 101 permit ip any any Then apply it to the interface with ip access-group 101 in or out depending on what interface it is applied to. It is easy to envision what the wildcard mask is and what it does if we view the decimal numbers in binary format: wildcard mask 0.0.255.255 = ... 0's = interesting part of the address is to the router; 1's = portion of address the router isn't going to care aboutthis portion of the accress could be any number. If you list the ip address in binary above the wildcard mask, it looks like this: 128 . 252 . 0. 0 1000.1100.. ... 0 . 0.252 . 252 The router will only view the portion of the address NOT blocked by 1's as interesting: 128.252.x.x You will need to grasp this concept before moving on to subnetting and supernetting. There are some excellent explanations for how this works in the Cisco Press CCNA books. To confirm, this is for routers and not the PIX ACLs. HTH MikeN Farhan Ahmed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13588t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list.. [7:13564]
access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any the 1st line blocks that range and the 2nd line allows all other traffic i think? not positive though - Original Message - From: Farhan Ahmed To: Sent: Tuesday, July 24, 2001 1:28 PM Subject: access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13592t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list.. [7:13564]
i dont think the access list here you listed will block the whole range. He is asking to block the range, not the 2 individual ip addresses. - Original Message - From: MikeN To: Sent: Tuesday, July 24, 2001 2:48 PM Subject: Re: access list.. [7:13564] Okay.. default masks meaning classful class B. 128.252.0.0 with a subnet mask of 255.255.0.0 and 128.252.240.0 with a subnet mask of 255.255.0.0 On a router you would use the wildcard mask (inverse) of the subnet mask: access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 access-list 101 permit ip any any Then apply it to the interface with ip access-group 101 in or out depending on what interface it is applied to. It is easy to envision what the wildcard mask is and what it does if we view the decimal numbers in binary format: wildcard mask 0.0.255.255 = ... 0's = interesting part of the address is to the router; 1's = portion of address the router isn't going to care aboutthis portion of the accress could be any number. If you list the ip address in binary above the wildcard mask, it looks like this: 128 . 252 . 0. 0 1000.1100.. ... 0 . 0.252 . 252 The router will only view the portion of the address NOT blocked by 1's as interesting: 128.252.x.x You will need to grasp this concept before moving on to subnetting and supernetting. There are some excellent explanations for how this works in the Cisco Press CCNA books. To confirm, this is for routers and not the PIX ACLs. HTH MikeN Farhan Ahmed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13595t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
That should be 0.0.15.255, but that allows 240, and you have it backwards, you need to permit the first line (access-list 1 deny 128.252.0.0 0.0.15.255), and then deny the class b , then permit all else -Original Message- From: fgh [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:02 PM To: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any the 1st line blocks that range and the 2nd line allows all other traffic i think? not positive though - Original Message - From: Farhan Ahmed To: Sent: Tuesday, July 24, 2001 1:28 PM Subject: access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13598t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all of the class b Thank You, Michael Ayers Network Engineer OneNeck IT Services (480) 539-2203 (800) 272-3077 -Original Message- From: MikeN [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 12:49 PM To: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] Okay.. default masks meaning classful class B. 128.252.0.0 with a subnet mask of 255.255.0.0 and 128.252.240.0 with a subnet mask of 255.255.0.0 On a router you would use the wildcard mask (inverse) of the subnet mask: access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 access-list 101 permit ip any any Then apply it to the interface with ip access-group 101 in or out depending on what interface it is applied to. It is easy to envision what the wildcard mask is and what it does if we view the decimal numbers in binary format: wildcard mask 0.0.255.255 = ... 0's = interesting part of the address is to the router; 1's = portion of address the router isn't going to care aboutthis portion of the accress could be any number. If you list the ip address in binary above the wildcard mask, it looks like this: 128 . 252 . 0. 0 1000.1100.. ... 0 . 0.252 . 252 The router will only view the portion of the address NOT blocked by 1's as interesting: 128.252.x.x You will need to grasp this concept before moving on to subnetting and supernetting. There are some excellent explanations for how this works in the Cisco Press CCNA books. To confirm, this is for routers and not the PIX ACLs. HTH MikeN Farhan Ahmed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13599t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list.. [7:13564]
He wants to block the range 128.252.0.0-128.252.240.0 and permit all else. access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any I have a CCIE and a sniffer instructor sitting next to me and they verified that the above commands work for blocking the range and permitting everything else. - Original Message - From: Ayers, Michael To: 'fgh' ; Sent: Tuesday, July 24, 2001 3:04 PM Subject: RE: access list.. [7:13564] That should be 0.0.15.255, but that allows 240, and you have it backwards, you need to permit the first line (access-list 1 deny 128.252.0.0 0.0.15.255), and then deny the class b , then permit all else -Original Message- From: fgh [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:02 PM To: [EMAIL PROTECTED] Subject: Re: access list.. [7:13564] access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any the 1st line blocks that range and the 2nd line allows all other traffic i think? not positive though - Original Message - From: Farhan Ahmed To: Sent: Tuesday, July 24, 2001 1:28 PM Subject: access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13604t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
should be 0.0.15.255 but how? -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 12:27 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all of the class b Thank You, Michael Ayers Network Engineer OneNeck IT Services (480) 539-2203 (800) 272-3077 -Original Message- From: MikeN [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 12:49 PM To: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] Okay.. default masks meaning classful class B. 128.252.0.0 with a subnet mask of 255.255.0.0 and 128.252.240.0 with a subnet mask of 255.255.0.0 On a router you would use the wildcard mask (inverse) of the subnet mask: access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 access-list 101 permit ip any any Then apply it to the interface with ip access-group 101 in or out depending on what interface it is applied to. It is easy to envision what the wildcard mask is and what it does if we view the decimal numbers in binary format: wildcard mask 0.0.255.255 = ... 0's = interesting part of the address is to the router; 1's = portion of address the router isn't going to care aboutthis portion of the accress could be any number. If you list the ip address in binary above the wildcard mask, it looks like this: 128 . 252 . 0. 0 1000.1100.. ... 0 . 0.252 . 252 The router will only view the portion of the address NOT blocked by 1's as interesting: 128.252.x.x You will need to grasp this concept before moving on to subnetting and supernetting. There are some excellent explanations for how this works in the Cisco Press CCNA books. To confirm, this is for routers and not the PIX ACLs. HTH MikeN Farhan Ahmed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13606t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
He wants to block the range 128.252.0.0-128.252.240.0 and permit all else. access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13607t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
0.0.15.255 = I only care what the first 20 bits are. So 128.252 are 16 bits, we can ignore them (they match visually). The last octet is all 1, so we can ignore that also don't care. We also don't care what the last 4 bits are, so we do care what the first 4 are. If we use 128.252.240.0, we get 1000 1100 000 in binary. We only want to focus on the 3rd octet . SO CARE Don't Care Decimal Number 240 0001241 0010242 0011243 0100244 0101245 0110246 0111247 1000248 1001249 1010250 1011251 1100252 1101253 1110254 255 -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:35 PM To: 'Ayers, Michael'; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] should be 0.0.15.255 but how? -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 12:27 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all of the class b Thank You, Michael Ayers Network Engineer OneNeck IT Services (480) 539-2203 (800) 272-3077 -Original Message- From: MikeN [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 12:49 PM To: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] Okay.. default masks meaning classful class B. 128.252.0.0 with a subnet mask of 255.255.0.0 and 128.252.240.0 with a subnet mask of 255.255.0.0 On a router you would use the wildcard mask (inverse) of the subnet mask: access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 access-list 101 permit ip any any Then apply it to the interface with ip access-group 101 in or out depending on what interface it is applied to. It is easy to envision what the wildcard mask is and what it does if we view the decimal numbers in binary format: wildcard mask 0.0.255.255 = ... 0's = interesting part of the address is to the router; 1's = portion of address the router isn't going to care aboutthis portion of the accress could be any number. If you list the ip address in binary above the wildcard mask, it looks like this: 128 . 252 . 0. 0 1000.1100.. ... 0 . 0.252 . 252 The router will only view the portion of the address NOT blocked by 1's as interesting: 128.252.x.x You will need to grasp this concept before moving on to subnetting and supernetting. There are some excellent explanations for how this works in the Cisco Press CCNA books. To confirm, this is for routers and not the PIX ACLs. HTH MikeN Farhan Ahmed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13611t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
You are incorrect. A 240 in a WC mask will, here, deny 16.x, 32.x, 48.x, 64.x, etc... (multiples of 16). You MASK is saying that you don't care what the 4 higher order bits are, but you MUST have in the last 4 bits of the octet in question. This will than only permit combinations of 0 000116 001032 001148 010064 010180 011096 0111112 1000128 1001144 1010160 1011176 1100192 1101208 1110224 240 -Original Message- From: fgh [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:23 PM To: Ayers, Michael Cc: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] He wants to block the range 128.252.0.0-128.252.240.0 and permit all else. access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any I have a CCIE and a sniffer instructor sitting next to me and they verified that the above commands work for blocking the range and permitting everything else. - Original Message - From: Ayers, Michael To: 'fgh' ; Sent: Tuesday, July 24, 2001 3:04 PM Subject: RE: access list.. [7:13564] That should be 0.0.15.255, but that allows 240, and you have it backwards, you need to permit the first line (access-list 1 deny 128.252.0.0 0.0.15.255), and then deny the class b , then permit all else -Original Message- From: fgh [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:02 PM To: [EMAIL PROTECTED] Subject: Re: access list.. [7:13564] access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any the 1st line blocks that range and the 2nd line allows all other traffic i think? not positive though - Original Message - From: Farhan Ahmed To: Sent: Tuesday, July 24, 2001 1:28 PM Subject: access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13613t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
You are incorrect. A 240 in a WC mask will, here, deny 16.x, 32.x, 48.x, 64.x, etc... (multiples of 16). You MASK is saying that you don't care what the 4 higher order bits are, but you MUST have in the last 4 bits of the octet in question. This will than only permit combinations of 0 000116 001032 001148 010064 010180 011096 0111112 1000128 1001144 1010160 1011176 1100192 1101208 1110224 240 -Original Message- From: fgh [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:23 PM To: Ayers, Michael Cc: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] He wants to block the range 128.252.0.0-128.252.240.0 and permit all else. access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any I have a CCIE and a sniffer instructor sitting next to me and they verified that the above commands work for blocking the range and permitting everything else. - Original Message - From: Ayers, Michael To: 'fgh' ; Sent: Tuesday, July 24, 2001 3:04 PM Subject: RE: access list.. [7:13564] That should be 0.0.15.255, but that allows 240, and you have it backwards, you need to permit the first line (access-list 1 deny 128.252.0.0 0.0.15.255), and then deny the class b , then permit all else -Original Message- From: fgh [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:02 PM To: [EMAIL PROTECTED] Subject: Re: access list.. [7:13564] access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any the 1st line blocks that range and the 2nd line allows all other traffic i think? not positive though - Original Message - From: Farhan Ahmed To: Sent: Tuesday, July 24, 2001 1:28 PM Subject: access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13609t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
Only problem, your scenario should be too block all from 0 to 239 to make an easy solution. -Original Message- From: Ayers, Michael Sent: Tuesday, July 24, 2001 1:40 PM To: 'Farhan Ahmed'; Ayers, Michael; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] 0.0.15.255 = I only care what the first 20 bits are. So 128.252 are 16 bits, we can ignore them (they match visually). The last octet is all 1, so we can ignore that also don't care. We also don't care what the last 4 bits are, so we do care what the first 4 are. If we use 128.252.240.0, we get 1000 1100 000 in binary. We only want to focus on the 3rd octet . SO CARE Don't Care Decimal Number 240 0001241 0010242 0011243 0100244 0101245 0110246 0111247 1000248 1001249 1010250 1011251 1100252 1101253 1110254 255 -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:35 PM To: 'Ayers, Michael'; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] should be 0.0.15.255 but how? -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 12:27 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all of the class b Thank You, Michael Ayers Network Engineer OneNeck IT Services (480) 539-2203 (800) 272-3077 -Original Message- From: MikeN [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 12:49 PM To: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] Okay.. default masks meaning classful class B. 128.252.0.0 with a subnet mask of 255.255.0.0 and 128.252.240.0 with a subnet mask of 255.255.0.0 On a router you would use the wildcard mask (inverse) of the subnet mask: access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 access-list 101 permit ip any any Then apply it to the interface with ip access-group 101 in or out depending on what interface it is applied to. It is easy to envision what the wildcard mask is and what it does if we view the decimal numbers in binary format: wildcard mask 0.0.255.255 = ... 0's = interesting part of the address is to the router; 1's = portion of address the router isn't going to care aboutthis portion of the accress could be any number. If you list the ip address in binary above the wildcard mask, it looks like this: 128 . 252 . 0. 0 1000.1100.. ... 0 . 0.252 . 252 The router will only view the portion of the address NOT blocked by 1's as interesting: 128.252.x.x You will need to grasp this concept before moving on to subnetting and supernetting. There are some excellent explanations for how this works in the Cisco Press CCNA books. To confirm, this is for routers and not the PIX ACLs. HTH MikeN Farhan Ahmed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13614t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
An I only have a lowly CCNP telling me. (myself) -Original Message- From: fgh [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:02 PM To: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] access-list 1 deny 128.252.0.0 0.0.240.255 access-list 1 permit any the 1st line blocks that range and the 2nd line allows all other traffic i think? not positive though - Original Message - From: Farhan Ahmed To: Sent: Tuesday, July 24, 2001 1:28 PM Subject: access list.. [7:13564] What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13616t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list.. [7:13564]
access-list 1 permit 172.22.0.0 0.0.31.255 It permits all hosts with addresses in the range 172.22.0.1 to 172.22.31.255. Routing TCP/IP, Volume 1 pg. 862 Jeff Doyle, CCIE 1919 I guess you are going to tell me that Mr. Jeff Doyle is wrong now? Bu-bye Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13617t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list.. [7:13564]
Wouldn't the right answer be this: ip access-list 101 deny 128.252.240.0 0.0.0.255 ip access-list 101 permit 128.252.240.0 0.0.240.255 ip access-list 101 deny 128.252.0.0 0.0.255.255 ip access-list 101 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:06 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Only problem, your scenario should be too block all from 0 to 239 to make an easy solution. -Original Message- From: Ayers, Michael Sent: Tuesday, July 24, 2001 1:40 PM To: 'Farhan Ahmed'; Ayers, Michael; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] 0.0.15.255 = I only care what the first 20 bits are. So 128.252 are 16 bits, we can ignore them (they match visually). The last octet is all 1, so we can ignore that also don't care. We also don't care what the last 4 bits are, so we do care what the first 4 are. If we use 128.252.240.0, we get 1000 1100 000 in binary. We only want to focus on the 3rd octet . SO CARE Don't Care Decimal Number 240 0001241 0010242 0011243 0100244 0101245 0110246 0111247 1000248 1001249 1010250 1011251 1100252 1101253 1110254 255 -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:35 PM To: 'Ayers, Michael'; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] should be 0.0.15.255 but how? -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 12:27 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all of the class b Thank You, Michael Ayers Network Engineer OneNeck IT Services (480) 539-2203 (800) 272-3077 -Original Message- From: MikeN [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 12:49 PM To: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] Okay.. default masks meaning classful class B. 128.252.0.0 with a subnet mask of 255.255.0.0 and 128.252.240.0 with a subnet mask of 255.255.0.0 On a router you would use the wildcard mask (inverse) of the subnet mask: access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 access-list 101 permit ip any any Then apply it to the interface with ip access-group 101 in or out depending on what interface it is applied to. It is easy to envision what the wildcard mask is and what it does if we view the decimal numbers in binary format: wildcard mask 0.0.255.255 = ... 0's = interesting part of the address is to the router; 1's = portion of address the router isn't going to care aboutthis portion of the accress could be any number. If you list the ip address in binary above the wildcard mask, it looks like this: 128 . 252 . 0. 0 1000.1100.. ... 0 . 0.252 . 252 The router will only view the portion of the address NOT blocked by 1's as interesting: 128.252.x.x You will need to grasp this concept before moving on to subnetting and supernetting. There are some excellent explanations for how this works in the Cisco Press CCNA books. To confirm, this is for routers and not the PIX ACLs. HTH MikeN Farhan Ahmed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. Privileged/Confidential Information may be c
RE: access list.. [7:13564]
Oops, I made an error - sorry. It should be: ip access-list 101 deny 128.252.240.0 0.0.0.255 ip access-list 101 permit 128.252.240.0 0.0.15.255 ip access-list 101 deny 128.252.0.0 0.0.255.255 ip access-list 101 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:33 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Wouldn't the right answer be this: ip access-list 101 deny 128.252.240.0 0.0.0.255 ip access-list 101 permit 128.252.240.0 0.0.240.255 ip access-list 101 deny 128.252.0.0 0.0.255.255 ip access-list 101 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:06 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Only problem, your scenario should be too block all from 0 to 239 to make an easy solution. -Original Message- From: Ayers, Michael Sent: Tuesday, July 24, 2001 1:40 PM To: 'Farhan Ahmed'; Ayers, Michael; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] 0.0.15.255 = I only care what the first 20 bits are. So 128.252 are 16 bits, we can ignore them (they match visually). The last octet is all 1, so we can ignore that also don't care. We also don't care what the last 4 bits are, so we do care what the first 4 are. If we use 128.252.240.0, we get 1000 1100 000 in binary. We only want to focus on the 3rd octet . SO CARE Don't Care Decimal Number 240 0001241 0010242 0011243 0100244 0101245 0110246 0111247 1000248 1001249 1010250 1011251 1100252 1101253 1110254 255 -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:35 PM To: 'Ayers, Michael'; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] should be 0.0.15.255 but how? -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 12:27 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all of the class b Thank You, Michael Ayers Network Engineer OneNeck IT Services (480) 539-2203 (800) 272-3077 -Original Message- From: MikeN [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 12:49 PM To: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] Okay.. default masks meaning classful class B. 128.252.0.0 with a subnet mask of 255.255.0.0 and 128.252.240.0 with a subnet mask of 255.255.0.0 On a router you would use the wildcard mask (inverse) of the subnet mask: access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 access-list 101 permit ip any any Then apply it to the interface with ip access-group 101 in or out depending on what interface it is applied to. It is easy to envision what the wildcard mask is and what it does if we view the decimal numbers in binary format: wildcard mask 0.0.255.255 = ... 0's = interesting part of the address is to the router; 1's = portion of address the router isn't going to care aboutthis portion of the accress could be any number. If you list the ip address in binary above the wildcard mask, it looks like this: 128 . 252 . 0. 0 1000.1100.. ... 0 . 0.252 . 252 The router will only view the portion of the address NOT blocked by 1's as interesting: 128.252.x.x You will need to grasp this concept before moving
RE: access list.. [7:13564]
we wanted to block till 240 1-240 -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 1:33 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Wouldn't the right answer be this: ip access-list 101 deny 128.252.240.0 0.0.0.255 ip access-list 101 permit 128.252.240.0 0.0.240.255 ip access-list 101 deny 128.252.0.0 0.0.255.255 ip access-list 101 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:06 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Only problem, your scenario should be too block all from 0 to 239 to make an easy solution. -Original Message- From: Ayers, Michael Sent: Tuesday, July 24, 2001 1:40 PM To: 'Farhan Ahmed'; Ayers, Michael; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] 0.0.15.255 = I only care what the first 20 bits are. So 128.252 are 16 bits, we can ignore them (they match visually). The last octet is all 1, so we can ignore that also don't care. We also don't care what the last 4 bits are, so we do care what the first 4 are. If we use 128.252.240.0, we get 1000 1100 000 in binary. We only want to focus on the 3rd octet . SO CARE Don't Care Decimal Number 240 0001241 0010242 0011243 0100244 0101245 0110246 0111247 1000248 1001249 1010250 1011251 1100252 1101253 1110254 255 -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:35 PM To: 'Ayers, Michael'; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] should be 0.0.15.255 but how? -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 12:27 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all of the class b Thank You, Michael Ayers Network Engineer OneNeck IT Services (480) 539-2203 (800) 272-3077 -Original Message- From: MikeN [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 12:49 PM To: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] Okay.. default masks meaning classful class B. 128.252.0.0 with a subnet mask of 255.255.0.0 and 128.252.240.0 with a subnet mask of 255.255.0.0 On a router you would use the wildcard mask (inverse) of the subnet mask: access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 access-list 101 permit ip any any Then apply it to the interface with ip access-group 101 in or out depending on what interface it is applied to. It is easy to envision what the wildcard mask is and what it does if we view the decimal numbers in binary format: wildcard mask 0.0.255.255 = ... 0's = interesting part of the address is to the router; 1's = portion of address the router isn't going to care aboutthis portion of the accress could be any number. If you list the ip address in binary above the wildcard mask, it looks like this: 128 . 252 . 0. 0 1000.1100.. ... 0 . 0.252 . 252 The router will only view the portion of the address NOT blocked by 1's as interesting: 128.252.x.x You will need to grasp this concept before moving on to subnetting and supernetting. There are some excellent explanations for how this works in the Cisco Press CCNA books. To confirm, this is for routers and not the PIX ACLs. HTH MikeN Farhan Ahmed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind.
RE: access list.. [7:13564]
If you read my corrected one, that is what you're getting with my solution. First you deny .240, then you allow .240 to .255, but since you have already denies .240, it will in practice mean that you are allowing .241 to .255. The only thing left now (.0 thru .255 minus .240 thru .255) is .0 thru 239, which you want to deny. That is done in the third line. Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:39 PM To: 'Ole Drews Jensen'; [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] we wanted to block till 240 1-240 -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 1:33 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Wouldn't the right answer be this: ip access-list 101 deny 128.252.240.0 0.0.0.255 ip access-list 101 permit 128.252.240.0 0.0.240.255 ip access-list 101 deny 128.252.0.0 0.0.255.255 ip access-list 101 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:06 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Only problem, your scenario should be too block all from 0 to 239 to make an easy solution. -Original Message- From: Ayers, Michael Sent: Tuesday, July 24, 2001 1:40 PM To: 'Farhan Ahmed'; Ayers, Michael; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] 0.0.15.255 = I only care what the first 20 bits are. So 128.252 are 16 bits, we can ignore them (they match visually). The last octet is all 1, so we can ignore that also don't care. We also don't care what the last 4 bits are, so we do care what the first 4 are. If we use 128.252.240.0, we get 1000 1100 000 in binary. We only want to focus on the 3rd octet . SO CARE Don't Care Decimal Number 240 0001241 0010242 0011243 0100244 0101245 0110246 0111247 1000248 1001249 1010250 1011251 1100252 1101253 1110254 255 -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:35 PM To: 'Ayers, Michael'; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] should be 0.0.15.255 but how? -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 12:27 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all of the class b Thank You, Michael Ayers Network Engineer OneNeck IT Services (480) 539-2203 (800) 272-3077 -Original Message- From: MikeN [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 12:49 PM To: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] Okay.. default masks meaning classful class B. 128.252.0.0 with a subnet mask of 255.255.0.0 and 128.252.240.0 with a subnet mask of 255.255.0.0 On a router you would use the wildcard mask (inverse) of the subnet mask: access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 access-list 101 permit ip any any Then apply it to the interface with ip access-group 101 in or out depending on what interface it is applied to. It is easy to envision what the wildcard mask is and what it does if we view the decimal numbers in binary format: wildcard mask 0.0.255.255 = ... 0's = interesting part of the address is to the router; 1's = portion of address the router isn't going to care aboutthis portion of the accress could be any number. If you list the ip address in binary above the wildcard mask, it looks like this: 128 . 252 . 0. 0 1000.1100..
RE: access list.. [7:13564]
i think b4 it was ok -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 1:46 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Oops, I made an error - sorry. It should be: ip access-list 101 deny 128.252.240.0 0.0.0.255 ip access-list 101 permit 128.252.240.0 0.0.15.255 ip access-list 101 deny 128.252.0.0 0.0.255.255 ip access-list 101 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:33 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Wouldn't the right answer be this: ip access-list 101 deny 128.252.240.0 0.0.0.255 ip access-list 101 permit 128.252.240.0 0.0.240.255 ip access-list 101 deny 128.252.0.0 0.0.255.255 ip access-list 101 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:06 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Only problem, your scenario should be too block all from 0 to 239 to make an easy solution. -Original Message- From: Ayers, Michael Sent: Tuesday, July 24, 2001 1:40 PM To: 'Farhan Ahmed'; Ayers, Michael; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] 0.0.15.255 = I only care what the first 20 bits are. So 128.252 are 16 bits, we can ignore them (they match visually). The last octet is all 1, so we can ignore that also don't care. We also don't care what the last 4 bits are, so we do care what the first 4 are. If we use 128.252.240.0, we get 1000 1100 000 in binary. We only want to focus on the 3rd octet . SO CARE Don't Care Decimal Number 240 0001241 0010242 0011243 0100244 0101245 0110246 0111247 1000248 1001249 1010250 1011251 1100252 1101253 1110254 255 -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:35 PM To: 'Ayers, Michael'; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] should be 0.0.15.255 but how? -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 12:27 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all of the class b Thank You, Michael Ayers Network Engineer OneNeck IT Services (480) 539-2203 (800) 272-3077 -Original Message- From: MikeN [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 12:49 PM To: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] Okay.. default masks meaning classful class B. 128.252.0.0 with a subnet mask of 255.255.0.0 and 128.252.240.0 with a subnet mask of 255.255.0.0 On a router you would use the wildcard mask (inverse) of the subnet mask: access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 access-list 101 permit ip any any Then apply it to the interface with ip access-group 101 in or out depending on what interface it is applied to. It is easy to envision what the wildcard mask is and what it does if we view the decimal numbers in binary format: wildcard mask 0.0.255.255 = ... 0's = interesting part of the address is to the router; 1's = portion of address the router isn't going to care aboutthis portion of the accress could be any number. If you list the ip address in binary above the wildcard mask, it looks like this: 128 . 252 . 0. 0 1000.1100.. ... 0
RE: access list.. [7:13564]
BTW, I have used the values for extended access-lists - so here's the final answer from me on this topic today ip access-list 1 deny 128.252.240.0 0.0.0.255 ip access-list 1 permit 128.252.240.0 0.0.15.255 ip access-list 1 deny 128.252.0.0 0.0.255.255 ip access-list 1 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:46 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Oops, I made an error - sorry. It should be: ip access-list 101 deny 128.252.240.0 0.0.0.255 ip access-list 101 permit 128.252.240.0 0.0.15.255 ip access-list 101 deny 128.252.0.0 0.0.255.255 ip access-list 101 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:33 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Wouldn't the right answer be this: ip access-list 101 deny 128.252.240.0 0.0.0.255 ip access-list 101 permit 128.252.240.0 0.0.240.255 ip access-list 101 deny 128.252.0.0 0.0.255.255 ip access-list 101 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:06 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Only problem, your scenario should be too block all from 0 to 239 to make an easy solution. -Original Message- From: Ayers, Michael Sent: Tuesday, July 24, 2001 1:40 PM To: 'Farhan Ahmed'; Ayers, Michael; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] 0.0.15.255 = I only care what the first 20 bits are. So 128.252 are 16 bits, we can ignore them (they match visually). The last octet is all 1, so we can ignore that also don't care. We also don't care what the last 4 bits are, so we do care what the first 4 are. If we use 128.252.240.0, we get 1000 1100 000 in binary. We only want to focus on the 3rd octet . SO CARE Don't Care Decimal Number 240 0001241 0010242 0011243 0100244 0101245 0110246 0111247 1000248 1001249 1010250 1011251 1100252 1101253 1110254 255 -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:35 PM To: 'Ayers, Michael'; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] should be 0.0.15.255 but how? -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 12:27 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all of the class b Thank You, Michael Ayers Network Engineer OneNeck IT Services (480) 539-2203 (800) 272-3077 -Original Message- From: MikeN [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 12:49 PM To: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] Okay.. default masks meaning classful class B. 128.252.0.0 with a subnet mask of 255.255.0.0 and 128.252.240.0 with a subnet mask of 255.255.0.0 On a router you would use the wildcard mask (inverse) of the subnet mask: access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 access
RE: access list.. [7:13564]
Let's take it line by line: ip access-list 1 deny 128.252.240.0 0.0.0.255 Third Octet: Address 240 Wildcard0 Since all bits in the wildcard are 0, they must all match with the address, so only one address will be included here = 240. ip access-list 1 permit 128.252.240.0 0.0.15.255 Third Octet: Address 240 Wildcard15 Here the first four bits in the wildcard are 0, so they must match. The last four bits are 1, so they don't care. So, you will have from thru or 240 to 255. ip access-list 1 deny 128.252.0.0 0.0.255.255 Third Octet: Address 0 Wildcard255 None of the wildcard bits are 0, so this whole value don't care. It can be from 0 to 255. ip access-list 1 permit any What is important here, is that an access-list is read from the top and down until a match is found, and THEN IT EXITS. So if it meats a match, it will not check the rest of the list. Let's try to run this list with 0 thru 255. In the first line, 240 is denied. Now we have 0 thru 239 and 241 thru 255 left. In the second line, 241 thru 255 is permitted. Now we have 0 thru 239 left. In the third line, 0 thru 239 is denied. We have none left. Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:49 PM To: 'Ole Drews Jensen' Subject: RE: access list.. [7:13564] pls say something abt how to get wild mask 4 access list -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 1:46 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Oops, I made an error - sorry. It should be: ip access-list 101 deny 128.252.240.0 0.0.0.255 ip access-list 101 permit 128.252.240.0 0.0.15.255 ip access-list 101 deny 128.252.0.0 0.0.255.255 ip access-list 101 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:33 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Wouldn't the right answer be this: ip access-list 101 deny 128.252.240.0 0.0.0.255 ip access-list 101 permit 128.252.240.0 0.0.240.255 ip access-list 101 deny 128.252.0.0 0.0.255.255 ip access-list 101 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:06 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Only problem, your scenario should be too block all from 0 to 239 to make an easy solution. -Original Message- From: Ayers, Michael Sent: Tuesday, July 24, 2001 1:40 PM To: 'Farhan Ahmed'; Ayers, Michael; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] 0.0.15.255 = I only care what the first 20 bits are. So 128.252 are 16 bits, we can ignore them (they match visually). The last octet is all 1, so we can ignore that also don't care. We also don't care what the last 4 bits are, so we do care what the first 4 are. If we use 128.252.240.0, we get 1000 1100 000 in binary. We only want to focus on the 3rd octet . SO CARE Don't Care Decimal Number 240 0001241 0010242 0011243 0100244 0101245 0110246 0111247 1000248 1001249 1010250 1011251 1100252 1101253 1110254 255
RE: access list.. [7:13564]
No, before it would have allowed .16 .32 .48 .64 .80 .96 .112 .128 .144 .160 .176 .192 .208 .224 also. Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 5:00 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] i think b4 it was ok -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 1:46 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Oops, I made an error - sorry. It should be: ip access-list 101 deny 128.252.240.0 0.0.0.255 ip access-list 101 permit 128.252.240.0 0.0.15.255 ip access-list 101 deny 128.252.0.0 0.0.255.255 ip access-list 101 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:33 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Wouldn't the right answer be this: ip access-list 101 deny 128.252.240.0 0.0.0.255 ip access-list 101 permit 128.252.240.0 0.0.240.255 ip access-list 101 deny 128.252.0.0 0.0.255.255 ip access-list 101 permit any Line 1 would block .240 Line 2 would allow .240 thru .255 Line 3 would block .0 thru .255 Line 4 would allow the rest Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 4:06 PM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Only problem, your scenario should be too block all from 0 to 239 to make an easy solution. -Original Message- From: Ayers, Michael Sent: Tuesday, July 24, 2001 1:40 PM To: 'Farhan Ahmed'; Ayers, Michael; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] 0.0.15.255 = I only care what the first 20 bits are. So 128.252 are 16 bits, we can ignore them (they match visually). The last octet is all 1, so we can ignore that also don't care. We also don't care what the last 4 bits are, so we do care what the first 4 are. If we use 128.252.240.0, we get 1000 1100 000 in binary. We only want to focus on the 3rd octet . SO CARE Don't Care Decimal Number 240 0001241 0010242 0011243 0100244 0101245 0110246 0111247 1000248 1001249 1010250 1011251 1100252 1101253 1110254 255 -Original Message- From: Farhan Ahmed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 1:35 PM To: 'Ayers, Michael'; [EMAIL PROTECTED] Subject:RE: access list.. [7:13564] should be 0.0.15.255 but how? -Original Message- From: Ayers, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 25, 2001 12:27 AM To: [EMAIL PROTECTED] Subject: RE: access list.. [7:13564] Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all of the class b Thank You, Michael Ayers Network Engineer OneNeck IT Services (480) 539-2203 (800) 272-3077 -Original Message- From: MikeN [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 24, 2001 12:49 PM To: [EMAIL PROTECTED] Subject:Re: access list.. [7:13564] Okay.. default masks meaning classful class B. 128.252.0.0 with a subnet mask of 255.255.0.0 and 128.252.240.0 with a subnet mask of 255.255.0.0 On a router you would use the wildcard mask (inverse) of the subnet mask: access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255 access-list 101 permit ip any any Then apply it to the interface with ip access-group 101 in or out depending
