09-17-2011 03:27 PM - edited 03-07-2019 02:17 AM
So I have a question.
Condition:
Requirement:
This is what I have done but it doesn't work.
router 1 fa 0/0 192.168.10.2
ip route 0.0.0.0 0.0.0.0 192.168.10.1
loopback 1 10.1.1.1 255.255.255.0
loopback 2 10.1.5.1 255.255.255.0
loopback 3 10.1.10.1 255.255.255.0
loopback 4 10.1.30.1 255.255.255.0
loopback 5 10.1.50.1 255.255.255.0
loopback 6 10.1.70.1 255.255.255.0
loopback 7 10.1.100.1 255.255.255.0
access-list 101 permit ip 10.1.0.0 0.0.7.255 192.168.10.0 0.0.0.15
access-list 101 permit ip 10.1.8.0 0.0.1.255 192.168.10.0 0.0.0.15
access-list 101 permit ip 10.1.11.0 0.0.5.255 192.168.10.0 0.0.0.15
access-list 101 permit ip 10.1.16.0 0.0.15.255 192.168.10.0 0.0.0.15
access-list 101 permit ip 10.1.32.0 0.0.31.255 192.168.10.0 0.0.0.15
access-list 101 permit ip 10.1.64.0 0.0.63.255 192.168.10.0 0.0.0.15
access-list 101 permit ip 10.1.128.0 0.0.127.255 192.168.10.0 0.0.0.15
ip access-group 101 out on fa 0/0 on router 1
router 2 fa 080 192.168.10.1
ip route 0.0.0.0 0.0.0.0 192.168.10.2
This isn't working. 10.1.10.1 can still get through. What am I doing wrong. Any help would be appreciated.
Thanks
09-17-2011 09:40 PM
CCIE lab question?
09-18-2011 06:26 AM
The problem line in your acl is -
access-list 101 permit ip 10.1.11.0 0.0.5.255 192.168.10.0 0.0.0.15
you cannot simply use a .5 as the 3rd octet to simply get to 10.1.16.0. You need to modify the acl -
access-list 101 permit ip 10.1.11.0 0.0.0.255 192.168.10.0 0.0.0.15
access-list 101 permit ip 10.1.12.0 0.0.3.255 192.168.10.0 0.0.0.15
Edit - whether this is the shortest acl possible i don't know without doing some binary and i'm a bit rusty but if i get the time i'll have a look.
Jon
09-18-2011 07:42 AM
Jon,
Thanks for the reply. I am still unclear why I have to break out the
wildcard mask this way. 8 16 32 64 128. Can you explain it to me or point me
in the direction of where I can get a clear explanation? Why not 2 4 8 16 32
64 128 or 128 192 224 240 248 252 255?
Thanks
Will
On Sep 18, 2011 9:27 AM, "jon.marshall" <
09-18-2011 08:02 AM
Will
You don't have to break it out that way necessarily. For example see this link for some complex wildcard mask examples -
http://blog.ine.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/
as you can see each octet in the wildcard mask can be very different values.
The wildcards you see most often are simply inverse subnet masks ie.
255.255.240.0 becomes 0.0.15.255 etc. but as the above examples show they don't have to be. But even so you cannot simply say to get to 16 from 11 it is 5 therefore i will use that in the wildcard mask because the router will not interpret that in the way you want.
As your acl was using inverse subnet masks if you see what i mean then i simply pointed out that there is no equivalent subnet mask to match 0.0.5.255 and therefore you needed to break it down differently.
But you really do need to use binary with more complex wildcard masks. Have a look at this thread and if you have any more questions then feel free to ask -
https://supportforums.cisco.com/message/624267#624267
Jon
09-18-2011 11:15 AM
Jon,
Thank you so much for your help.
Will
09-18-2011 12:08 PM
Hi Jon,
Great response, and very interesting article at the INE blog. Do you have any more information about what would happen if we had more than two addresses we were trying to find the most specific wildcard for? Would we just do exactly the same, but with more addresses to AND and XOR?
Sorry to hijack.
Adam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide