From: Scott Vermillion (scott_ccie_list@it-ag.com)
Date: Sat Dec 08 2007 - 01:29:19 ART
In reviewing my second config, I see that I neglected to mention one small
but hopefully fairly obvious detail. Since we have entered decimal "16" into
the fourth octet of the network portion of our ACE, that bit position is
obviously also an "I care" bit (or we wouldn't have typed "16" to begin
with, LOL) and thus likewise set to zero along with 128, 64, 32, and 0.
It also occurred to me over dinner (please do NOT tell the wife that I was
thinking binary math while she was talking about....well...what she was
talking about) that this could actually be accomplished with just a single
ACE (I think):
ip extended access-list PERMIT_ODD
permit ip 192.168.15.17 0.0.0.14 any
(implicit deny any any)
-----Original Message-----
From: Darby Weaver [mailto:darbyweaver@yahoo.com]
Sent: Friday, December 07, 2007 9:07 PM
To: Scott Vermillion; ccielab@groupstudy.com; cisco@groupstudy.com
Subject: RE: ACL Question - Can you fix it?
Restricting the range is the correct answer.
So your second answer is on the money.
The first answer would be good if we said deny all
even addresses.
--- Scott Vermillion <scott_ccie_list@it-ag.com>
wrote:
> Is the task that we're only supposed to encompass
> the hosts in the range of
> 16 -> 32? To do this generically without that
> restriction, it would be:
>
> ip access-list extended DENY_EVEN
> deny ip 192.168.15.0 0.0.0.254 any
> permit ip any any
>
>
> To restrict to just that range, it would be:
>
>
> ip access-list extended DENY_EVEN
> deny ip 192.168.15.16 0.0.0.14 any
> permit ip any any
>
> Right? The logic here being that in order for an
> address to be even, the
> right-most bit must be set to zero. Then you figure
> out the rest as follows
> (I'm sure there are a hundred processes to get to
> this - this would be mine
> on a sheet of paper):
>
> 0 0 0 0 1 1 1 0
> _ _ _ _ _ _ _ _
>
> I've set to zero the bits that would take us outside
> of this range.
> Obviously, if we're dealing with a range that's less
> than 32, it must be the
> case that the binary 32 position and everything to
> the left of it must be
> zero. So these are "I care" bits. I write these
> down as "0" over my little
> placeholders. Binary positions 2, 4, and 8 (meaning
> second, third, and
> fourth from right) can all be set to any value
> within this range, so they
> are "don't care" bits. These are obviously recorded
> as a "1" over my
> placeholders. Again, the binary 1 position must be
> set to zero in order for
> the address to be even. Then you just do basic
> binary math to come up with
> the decimal number 14.
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Darby Weaver
> Sent: Friday, December 07, 2007 5:53 PM
> To: ccielab@groupstudy.com; cisco@groupstudy.com
> Subject: ACL Question - Can you fix it?
>
> Access Lists.
>
> Assume that the 192.168.15.16/28 network has a
> collection of Linux and Windows PCs on it. The
> addressing scheme is such that the Linux PCs have
> the
> addresses
>
> 192.168.15.17
> 192.168.15.19
> 192.168.15.21
>
> and so on through to 192.168.15.29 (odds) while the
> Windows PCs have the addresses
>
> 192.168.15.18
> 192.168.15.20
> 192.168.15.22
>
> and so on through to 192.168.15.30 (even).
>
> All the PCs connect to the core network via a router
> on the same subnet.
>
> One day all the Windows PCs get infected by a virus
> and start sourcing large amounts of network traffic.
> Your task is to create an access list to be used on
> the router for the subnet which drops all network
> traffic from the Windows PCs while allowing traffic
> from the Linux PCs.
>
> Can you create an ACL with just two access list
> entries that will match traffic sourced from all the
> Windows PCs and drop them while allowing all other
> traffic?
>
>
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:29 ARST