Saturday, March 28, 2009
2.1.15 Access-list wildcard masks versus network masks
------------------------------------------------------
Generally for a network specified as a.b.c.d/n the access-list wildcard mask that matches
all addresses in a network wil have is in 32-n rightmost bits and 0 in the leftmost n bits
For a network , 192.168.32.0/16 , the acl wildcard mask that matches all addresses is
0.0.0.63
In a shorter way 255.255.255.255 - s.m = wildcard m
2.1.6 The implicit wildcard mask
--------------------------------
0.0.0.0 255.255.255.255
Since each bit is 1 in this mask , any ip address on any network will be matched
access-list 1 permit 192.168.30.1
access-list 1 permit 192.168.33.5
A o in the bit position indicates that there should be a match exactly that bit position
access-list 1 permit 192.168.30.1 0.0.0.0
access-list 1 permit 192.168.33.5 0.0.0.0
2.1.7 Sequential processing in access-list
------------------------------------------
access-list 4 permit 192.168.30.0 0.0.0.255
access-list 4 deny 192.168.30.70
will not deny 192.168.30.70 as permit statement is encountered first
access-list 4 deny 192.168.30.70
access-list 4 permit 192.168.30.0 0.0.0.255
is the correct way to deny the host
2.1.8 Standard access-list and packet filtering
-----------------------------------------------
Standard access-list are used to control packet flowing throug a router . Network Admins use
standard acl in this fashion when certain hosts need total access to hosts on particular
subnet
To deny entire subnet 172.28.38.0
To permit 172.28.38.1
To permit 192.168.30.1
TO permit 172.28.0.0
access-list permit 172.28.30.1
access-list permit 172.28.38.1
access-list deny 172.28.38.0 0.0.0.255
access-list permit 172.28.0.0 0.0.255.255
To assign it to an interface :
int fa0/0
ip access-group 6 out
2.1.9 Standar access-list generic format
----------------------------------------
access-list [list-number] [permit/deny] [ip addr] [wildcard mask(opt)]