new access list problem [7:63715]
Hello i networks 192.17.73.0 - 192.17.77.0 is there anyway to deny these networks with one entry in an access list? such as deny 192.17.73.0 0.0.248.255? is this going to deny these networks? it's also going to black hole several other networks though. Or does the list have to be deny 192.17.73.0 0.0.7.255 ? i thought zeros must match and ones we don't care. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63715t=63715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: new access list problem [7:63715]
the first access-list will not work. The second one will also deny networks 192.17.72.0 and 78.0 as well as 79.0 - You are correct about zeros must make at 1's are don't care, but you need to understand the basic of subnetting. A 248.0 subnet mask means 8 Class C subnets. You have to start at a valid network address which in this case is 192.17.72.0 Router(config)#access-list 11 deny 192.17.73.0 0.0.7.255 Router#sho access-list 11 Standard IP access list 11 deny 192.17.72.0, wildcard bits 0.0.7.255 Notice that it fixes your mistake for you. Regards Andrew CCNP, CCDP, CSS1 -Original Message- From: Jason Steig [mailto:[EMAIL PROTECTED] Sent: 25 February 2003 16:26 To: [EMAIL PROTECTED] Subject: new access list problem [7:63715] Hello i networks 192.17.73.0 - 192.17.77.0 is there anyway to deny these networks with one entry in an access list? such as deny 192.17.73.0 0.0.248.255? is this going to deny these networks? it's also going to black hole several other networks though. Or does the list have to be deny 192.17.73.0 0.0.7.255 ? i thought zeros must match and ones we don't care. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63722t=63715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: new access list problem [7:63715]
Couldn't you just use the wildcard mask 0.0.4.255 to deny 192.17.73.0 - 192.17.77.0? I used the Boson wildcard mask calculator to check this, and it gave me those networks. Andrew Larkins wrote in message news:[EMAIL PROTECTED] the first access-list will not work. The second one will also deny networks 192.17.72.0 and 78.0 as well as 79.0 - You are correct about zeros must make at 1's are don't care, but you need to understand the basic of subnetting. A 248.0 subnet mask means 8 Class C subnets. You have to start at a valid network address which in this case is 192.17.72.0 Router(config)#access-list 11 deny 192.17.73.0 0.0.7.255 Router#sho access-list 11 Standard IP access list 11 deny 192.17.72.0, wildcard bits 0.0.7.255 Notice that it fixes your mistake for you. Regards Andrew CCNP, CCDP, CSS1 -Original Message- From: Jason Steig [mailto:[EMAIL PROTECTED] Sent: 25 February 2003 16:26 To: [EMAIL PROTECTED] Subject: new access list problem [7:63715] Hello i networks 192.17.73.0 - 192.17.77.0 is there anyway to deny these networks with one entry in an access list? such as deny 192.17.73.0 0.0.248.255? is this going to deny these networks? it's also going to black hole several other networks though. Or does the list have to be deny 192.17.73.0 0.0.7.255 ? i thought zeros must match and ones we don't care. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63742t=63715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: new access list problem [7:63715]
I replied earlier, but it didn't seem to come through. Anyway, you should use the wildcard mask 0.0.4.255. That will match the addresses 192.17.73.0 - 192.172.77.255, which I think is what you want. In case you don't already have it, download Boson's free wildcard mask calculator at the following link. http://www.boson.com/promo/utilities/wildcard/wildcard.htm Hope that helps. Robert Jason Steig wrote in message news:[EMAIL PROTECTED] Hello i networks 192.17.73.0 - 192.17.77.0 is there anyway to deny these networks with one entry in an access list? such as deny 192.17.73.0 0.0.248.255? is this going to deny these networks? it's also going to black hole several other networks though. Or does the list have to be deny 192.17.73.0 0.0.7.255 ? i thought zeros must match and ones we don't care. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63758t=63715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: new access list problem [7:63715]
I replied too and it wasn't posted. That is SO annoying. I'm tempted to never post again. Anyway, your answer is wrong because it doesn't catch 74, 75, and 76, and he said he wanted a range. You have to use 0.0.7.255, which has an unfortunate (but unavoidable) side effect of catching 72, and 78 and 79. Two other answers: 1) Put it in binary. Don't use a wildcard mask calculator. 2) Summarize your addresses and you won't have these confusing messes. Summarization is good for performance reasons as well as security. The last thing you want is to have to spend hours arguing over an access list. You want to get it working with little fuss and start implementing your security policy ASAP. Priscilla Robert Edmonds wrote: I replied earlier, but it didn't seem to come through. Anyway, you should use the wildcard mask 0.0.4.255. That will match the addresses 192.17.73.0 - 192.172.77.255, which I think is what you want. In case you don't already have it, download Boson's free wildcard mask calculator at the following link. http://www.boson.com/promo/utilities/wildcard/wildcard.htm Hope that helps. Robert Jason Steig wrote in message news:[EMAIL PROTECTED] Hello i networks 192.17.73.0 - 192.17.77.0 is there anyway to deny these networks with one entry in an access list? such as deny 192.17.73.0 0.0.248.255? is this going to deny these networks? it's also going to black hole several other networks though. Or does the list have to be deny 192.17.73.0 0.0.7.255 ? i thought zeros must match and ones we don't care. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63778t=63715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: new access list problem [7:63715]
Robert Edmonds wrote: Couldn't you just use the wildcard mask 0.0.4.255 to deny 192.17.73.0 - 192.17.77.0? I used the Boson wildcard mask calculator to check this, and it gave me those networks. If the mask is 0.0.4.255, it will deny 192.17.73.0 as well as 192.17.77.0. However, it won't deny the networks in between. Let's say you used access-list 11 deny 192.17.73.0 0.0.4.255 73 is 0100 1001 77 is 0100 1101 They differ in the 2^2 position, 4 in decimal. So that's where you'll want a wildcard (don't-care) bit value in the mask, in other words 1. So the mask for that part is 0100 in binary or 4 in decimal if you just want those two networks. If you use zeros (must match) for all the other bits, you won't get 74, 75, or 76. 74 is 0100 1010 73 is 0100 1001 Notice that they don't match in the 2^0 or 1 position, but if you use 0 in the mask in that posision, they must match. 75 is 0100 1011 73 is 0100 1001 Notice that they don't match in the 2^1 or 2 position, but if you use 0 in the mask in that position, they must match. 76 is 0100 1100 73 is 0100 1001 Notice that they don't match in the 2^2 or 2^0 positions, but if you use 0 in the mask in those positions, they must match. So, 74, 75, and 76 fall through. If you don't explicity accept them, then they will be denied by the implicit deny all, but they aren't denied by your deny 192.17.73.0 0.0.4.255 statement. By now, I can't remember if you wanted to deny them or not!? But if you do, just throw some ones in the correct position instead of zeros so those networks match too. So use 0111 or 7. deny 192.17.73.0 0.0.7.255 Notice that this denies 72 too. That can't be helped. 72 is 0100 1000 73 is 0100 1001 They match up to the last bit. But you have to say you don't care about that bit in order to get 75! So, in conclusion (finally) use this to deny 72-77: deny 192.17.72.0 0.0.7.255 Sorry for any typos! I can't decide if I should use reading glasses or not with my new flat-screen monitor which has lots of blurry lines no matter what I do. Seriously, that is my excuse. That and hunger. Off to lunch! Priscilla Andrew Larkins wrote in message news:[EMAIL PROTECTED] the first access-list will not work. The second one will also deny networks 192.17.72.0 and 78.0 as well as 79.0 - You are correct about zeros must make at 1's are don't care, but you need to understand the basic of subnetting. A 248.0 subnet mask means 8 Class C subnets. You have to start at a valid network address which in this case is 192.17.72.0 Router(config)#access-list 11 deny 192.17.73.0 0.0.7.255 Router#sho access-list 11 Standard IP access list 11 deny 192.17.72.0, wildcard bits 0.0.7.255 Notice that it fixes your mistake for you. Regards Andrew CCNP, CCDP, CSS1 -Original Message- From: Jason Steig [mailto:[EMAIL PROTECTED] Sent: 25 February 2003 16:26 To: [EMAIL PROTECTED] Subject: new access list problem [7:63715] Hello i networks 192.17.73.0 - 192.17.77.0 is there anyway to deny these networks with one entry in an access list? such as deny 192.17.73.0 0.0.248.255? is this going to deny these networks? it's also going to black hole several other networks though. Or does the list have to be deny 192.17.73.0 0.0.7.255 ? i thought zeros must match and ones we don't care. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63774t=63715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
