Saturday, March 28, 2009

2.1.15 Access-list wildcard masks versus network masks
------------------------------------------------------

Generally for a network specified as a.b.c.d/n the access-list wildcard mask that matches
all addresses in a network wil have is in 32-n rightmost bits and 0 in the leftmost n bits

For a network , 192.168.32.0/16 , the acl wildcard mask that matches all addresses is
0.0.0.63

In a shorter way 255.255.255.255 - s.m = wildcard m

2.1.6 The implicit wildcard mask
--------------------------------

0.0.0.0 255.255.255.255

Since each bit is 1 in this mask , any ip address on any network will be matched

access-list 1 permit 192.168.30.1
access-list 1 permit 192.168.33.5

A o in the bit position indicates that there should be a match exactly that bit position

access-list 1 permit 192.168.30.1 0.0.0.0
access-list 1 permit 192.168.33.5 0.0.0.0

2.1.7 Sequential processing in access-list
------------------------------------------

access-list 4 permit 192.168.30.0 0.0.0.255
access-list 4 deny 192.168.30.70

will not deny 192.168.30.70 as permit statement is encountered first

access-list 4 deny 192.168.30.70
access-list 4 permit 192.168.30.0 0.0.0.255

is the correct way to deny the host

2.1.8 Standard access-list and packet filtering
-----------------------------------------------

Standard access-list are used to control packet flowing throug a router . Network Admins use
standard acl in this fashion when certain hosts need total access to hosts on particular
subnet

To deny entire subnet 172.28.38.0
To permit 172.28.38.1
To permit 192.168.30.1
TO permit 172.28.0.0

access-list permit 172.28.30.1
access-list permit 172.28.38.1
access-list deny 172.28.38.0 0.0.0.255
access-list permit 172.28.0.0 0.0.255.255


To assign it to an interface :

int fa0/0
ip access-group 6 out

2.1.9 Standar access-list generic format
----------------------------------------

access-list [list-number] [permit/deny] [ip addr] [wildcard mask(opt)]

Design by Blogger Buster | Distributed by Blogging Tips