Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Extended access lists
- Thread starter Rubi
- Start date
It means match anything except the very last binary bit (.254). In IOS the mask in an ACL is 'inverse' - i.e. if its a binary '1' then it can be ignored. So, the first octet is masked with all 1s (255) so it can be ignored and therefore anything will match it 0-255, same for the 2nd and 3rd octets. The last octet can be anything as long as the last bit is a binary 1, so basically any odd number:
00000001 - 1
00000011 - 3
00000101 - 5
00000111 - 7
00001001 - 9
00001011 - 11
~ ~
11111111 - 255
Can you show us the actual ACL and the maybe we can put it into context.
Andy
00000001 - 1
00000011 - 3
00000101 - 5
00000111 - 7
00001001 - 9
00001011 - 11
~ ~
11111111 - 255
Can you show us the actual ACL and the maybe we can put it into context.
Andy
User ADB100 is right on the money. Any IP address with an odd number will be affected, whether this is a PERMIT or DENY acl.
A sample inbound ACL would be:
access-list 1 deny 10.0.0.0 0.255.255.255 log
access-list 1 deny 172.16.0.0 0.15.255.255 log
access-list 1 deny 192.168.0.0 0.0.255.255 log
access-list 1 deny 127.0.0.1 0.0.0.0 log
access-list 1 deny 10.1.10.1 [your IP address] 255.255.255.0 [your subnet mask] log
access-list 1 permit 0.0.0.0 255.255.255.255 log
In this example, entries 1, 2, and 3 deny the non-routable (private) IP addresses for each network class as defined by RFC 1597.
Let's look at how the entries differ and what they specifically deny or permit:
· Entry 1—"access-list 1 deny 10.0.0.0 0.255.255.255 log"—is a deny statement for packets with an originating address of 10.0.0.0 to 10.255.255.255. Rather than having to make 16 million entries to block each Class A IP address, use the mask 0.255.255.255. This tells the router to match the first octet of 10 and disregard the other three octets.
· Entry 2—"access-list 1 deny 172.16.0.0 0.15.255.255 log"— is a deny statement for packets with an originating address of 172.16.0.0 to 172.31.255.255. Once again, rather than make 1 million entries to block each Class B IP address, use the mask 0.15.255.255. This tells the router to match the first octet of 172 and to match the second octet of 16 with a range of 15 additional networks and to disregard the third and fourth octet.
· Entry 3—"access-list 1 deny 192.168.0.0 0.0.255.255 log"— is a deny statement for packets with an originating address of 192.168.0.0 to 192.168.255.255. Instead of making 65,000 entries to block each Class C IP address, use the mask 0.0.255.255. The router will match the first two octets exactly and disregard the last two octets.
· Entry 4—"access-list 1 deny 127.0.0.1 0.0.0.0 log"— is a deny statement for packets with an originating address of 127.0.0.1, which is the hardware loop-back address of any Ethernet adapter. You could leave off the mask because a Standard IP ACL assumes a mask of 0.0.0.0 if none is specified.
· Entry 5—"access-list 1 deny 10.1.10.1 [your IP address] 255.255.255.0 [your subnet mask] log" — will deny anyone from externally spoofing your network.
· Entry 6 — "access-list 1 permit 0.0.0.0 255.255.255.255 log"—is a permit entry to allow packets that were not previously rejected to enter your network.
A sample inbound ACL would be:
access-list 1 deny 10.0.0.0 0.255.255.255 log
access-list 1 deny 172.16.0.0 0.15.255.255 log
access-list 1 deny 192.168.0.0 0.0.255.255 log
access-list 1 deny 127.0.0.1 0.0.0.0 log
access-list 1 deny 10.1.10.1 [your IP address] 255.255.255.0 [your subnet mask] log
access-list 1 permit 0.0.0.0 255.255.255.255 log
In this example, entries 1, 2, and 3 deny the non-routable (private) IP addresses for each network class as defined by RFC 1597.
Let's look at how the entries differ and what they specifically deny or permit:
· Entry 1—"access-list 1 deny 10.0.0.0 0.255.255.255 log"—is a deny statement for packets with an originating address of 10.0.0.0 to 10.255.255.255. Rather than having to make 16 million entries to block each Class A IP address, use the mask 0.255.255.255. This tells the router to match the first octet of 10 and disregard the other three octets.
· Entry 2—"access-list 1 deny 172.16.0.0 0.15.255.255 log"— is a deny statement for packets with an originating address of 172.16.0.0 to 172.31.255.255. Once again, rather than make 1 million entries to block each Class B IP address, use the mask 0.15.255.255. This tells the router to match the first octet of 172 and to match the second octet of 16 with a range of 15 additional networks and to disregard the third and fourth octet.
· Entry 3—"access-list 1 deny 192.168.0.0 0.0.255.255 log"— is a deny statement for packets with an originating address of 192.168.0.0 to 192.168.255.255. Instead of making 65,000 entries to block each Class C IP address, use the mask 0.0.255.255. The router will match the first two octets exactly and disregard the last two octets.
· Entry 4—"access-list 1 deny 127.0.0.1 0.0.0.0 log"— is a deny statement for packets with an originating address of 127.0.0.1, which is the hardware loop-back address of any Ethernet adapter. You could leave off the mask because a Standard IP ACL assumes a mask of 0.0.0.0 if none is specified.
· Entry 5—"access-list 1 deny 10.1.10.1 [your IP address] 255.255.255.0 [your subnet mask] log" — will deny anyone from externally spoofing your network.
· Entry 6 — "access-list 1 permit 0.0.0.0 255.255.255.255 log"—is a permit entry to allow packets that were not previously rejected to enter your network.
- Thread starter
- #4
- Status
Similar threads
