From: Scott Morris (swm@emanon.com)
Date: Fri Feb 06 2004 - 13:36:07 GMT-3
You're correct in your net/mask now. However, what's the point of
summarizing something? To keep your configuration tight while NOT letting
more things in or blocking more than necessary.
If you are just doing it to exercise your binary skills, why not do it in
one mask? Whether you're blocking 4 + 256 entries or 16,384 entries, the
point is that you are working on FAR more than the four entries given to
you.
If you MUST do this in two statements, then the two given are as tight as
you can get. Typically you'll find something workded "in as few lines as
possible", in which case the answer would be four individual lines.
Just because we can do cool things with binary does not necessarily make it
right. :)
Scott
-----Original Message-----
From: pbubienczyk@szczesliwice.pl [mailto:pbubienczyk@szczesliwice.pl]
Sent: Friday, February 06, 2004 11:13 AM
To: Scott Morris
Cc: richardyun@adelphia.net; ccielab@groupstudy.com
Subject: RE: Access List
Scott
access-list will match 16384 networks if we'll write it in just one
statement 104.0.0.0 23.59.55.0 (and between this 16384 there will be this 4
mentioned
below)
why 121.10.17.0 & 122.35.35.0 can't be summarized - in my opinion they can
be - it will produce 256 matching networks - you're right net should be
120.2.1.0 (instead 112.2.1.0) and wildcard mask 3.41.50.0
the 2nd and 4th also can be summarized - and this summarization will produce
4 networks matching this ACL
please - correct me if I'm wrong
thank you for your help - pb
Quoting Scott Morris <swm@emanon.com>:
> Is overlapping 16,384 networks much better than overlapping 256
networks???
> (3 = 2 bits, 41 = 3 bits, 50 = 3 bits --> 8 bits total)
>
> 121.10.17.0
> 122.35.35.0
>
> Those two do not summarize together. But you have your mask/network
> wrong anyway...
>
> Even the nicely paired 2nd and 4th there still has 2 bits of
> difference total, meaning you'll get 4 matches to your mask!
> (111.16, 111.24, 127.16, 127.24)
>
> Either way though, you're hosed on those. But you're correct with
> your first statement... They can't be done in two lines!
>
> HTH,
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> CISSP, JNCIS, et al.
> IPExpert CCIE Program Manager
> IPExpert Sr. Technical Instructor
> swm@emanon.com/smorris@ipexpert.net
> http://www.ipexpert.net
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of pbubienczyk@szczesliwice.pl
> Sent: Friday, February 06, 2004 4:47 AM
> To: richardyun@adelphia.net
> Cc: ccielab@groupstudy.com
> Subject: Re: Access List
>
> Hello
> There is no way to block ONLY this networks with 2 access-lists
> statements.
> With overlaping networks you could write your access-list with one
> line (but it'll overlap 16384 networks) :
> permit 104.0.0.0 23.59.55.0 - if my manual calculatioms are correct :)
> or with two (summarizing 1st add with 3rd and 2nd with 4th) :
> permit 112.2.1.0 3.41.50.0
> permit 111.16.6.0 16.8.0.0
>
> there is a nice acces-list white paper on internetworkexpert site
>
> hth - pb
>
> Quoting richardyun@adelphia.net:
>
> > Hello,
> >
> > How can I block the following networks from going out of particular
> > interface
> >
> > (say serial 1 on a router) using just two lines for access-list ?
> >
> > 121.10.17.0
> > 127.24.6.0
> > 122.35.35.0
> > 111.16.6.0
> >
> > Thanks,
> >
> > Richard
> >
> > ____________________________________________________________________
> > __ _ Please help support GroupStudy by purchasing your study
> > materials
> > from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Please help support GroupStudy by purchasing your study materials
> from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:47 GMT-3