Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   ACL Headache (http://www.velocityreviews.com/forums/t39243-acl-headache.html)

05hammer 05-16-2005 06:01 PM

ACL Headache
 
I am running a Catalyst 6509. I have a class C address split into 2
subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.

The upper range of addresses are to be exempt from the ACL so I need a
permit statement at the top of my ACL that permits any address greater
than 43.128 but forces the lower addresses down through the ACL.

I'v tried something like this:

ip access-list extended testme
permit ip any any 192.168.43.129 0.0.0.128
--insert other ACL's here--
permit ip any any 192.168.43.0 0.0.0.128

but it doesn't seem to be working. 43.220 is still logging a deny on
tcp port 445, 135, 137, 111......

When I do a sho run | begin testme, I get this as the first line of the
ACL:

permit ip any any 192.168.43.1 0.0.0.128

It changes 43.129 to 43.1

What am I missing? These wildcard bits are chewing my brain man! I
gotta get this working like this because the upper addresses are part
of a global network and need the ports I am blocking to be accessable
for their address range.


Arnold Nipper 05-16-2005 06:25 PM

Re: ACL Headache
 
On 16.05.2005 20:01 05hammer wrote

> I am running a Catalyst 6509. I have a class C address split into 2
> subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.
>
> The upper range of addresses are to be exempt from the ACL so I need a
> permit statement at the top of my ACL that permits any address greater
> than 43.128 but forces the lower addresses down through the ACL.
>
> I'v tried something like this:
>
> ip access-list extended testme
> permit ip any any 192.168.43.129 0.0.0.128


Try

ip access-list extended testme
permit ip any 192.168.43.128 0.0.0.127



Arnold
--
Arnold Nipper, AN45

Doan 05-16-2005 06:38 PM

Re: ACL Headache
 
On 16 May 2005, 05hammer wrote:

> I am running a Catalyst 6509. I have a class C address split into 2
> subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.
>
> The upper range of addresses are to be exempt from the ACL so I need a
> permit statement at the top of my ACL that permits any address greater
> than 43.128 but forces the lower addresses down through the ACL.
>
> I'v tried something like this:
>
> ip access-list extended testme
> permit ip any any 192.168.43.129 0.0.0.128
> --insert other ACL's here--
> permit ip any any 192.168.43.0 0.0.0.128
>
> but it doesn't seem to be working. 43.220 is still logging a deny on
> tcp port 445, 135, 137, 111......
>
> When I do a sho run | begin testme, I get this as the first line of the
> ACL:
>
> permit ip any any 192.168.43.1 0.0.0.128
>
> It changes 43.129 to 43.1
>
> What am I missing? These wildcard bits are chewing my brain man! I
> gotta get this working like this because the upper addresses are part
> of a global network and need the ports I am blocking to be accessable
> for their address range.
>


Your wildcard bits are wrong. One easy way to remember is to subtract
the subnet masks from 255.255.255.255. So, 192.168.43.129 255.255.255.128
becomes 192.168.43.129 0.0.0.127.

Doan




05hammer 05-16-2005 06:52 PM

Re: ACL Headache
 
jeesh! I knew that too! I learned it like this - the numbers in the
filter mask are a power of 2 minus 1. So, yeah .127 is the correct
address. I'll go give it a go. Thanks again!

I h8 mondays sometimes!


thrill5 05-17-2005 03:57 AM

Re: ACL Headache
 
The wildcards bits are also known as the "bizarro mask" :-)

Scott

"Doan" <doan@usc.edu> wrote in message
news:Pine.GSO.4.33.0505161135090.8536-100000@skat.usc.edu...
> On 16 May 2005, 05hammer wrote:
>
>> I am running a Catalyst 6509. I have a class C address split into 2
>> subnets with gateways of lets say 192.168.43.1 and 192.168.43.129.
>>
>> The upper range of addresses are to be exempt from the ACL so I need a
>> permit statement at the top of my ACL that permits any address greater
>> than 43.128 but forces the lower addresses down through the ACL.
>>
>> I'v tried something like this:
>>
>> ip access-list extended testme
>> permit ip any any 192.168.43.129 0.0.0.128
>> --insert other ACL's here--
>> permit ip any any 192.168.43.0 0.0.0.128
>>
>> but it doesn't seem to be working. 43.220 is still logging a deny on
>> tcp port 445, 135, 137, 111......
>>
>> When I do a sho run | begin testme, I get this as the first line of the
>> ACL:
>>
>> permit ip any any 192.168.43.1 0.0.0.128
>>
>> It changes 43.129 to 43.1
>>
>> What am I missing? These wildcard bits are chewing my brain man! I
>> gotta get this working like this because the upper addresses are part
>> of a global network and need the ports I am blocking to be accessable
>> for their address range.
>>

>
> Your wildcard bits are wrong. One easy way to remember is to subtract
> the subnet masks from 255.255.255.255. So, 192.168.43.129 255.255.255.128
> becomes 192.168.43.129 0.0.0.127.
>
> Doan
>
>
>




anybody43@hotmail.com 05-17-2005 07:14 PM

Re: ACL Headache
 
The long term fix to this type of problem is
to use the representation that best fits the problem.
In this case binary representation is the most convenient.

128 = 1000 0000
127 = 0111 1111

It's hard for me to say how much effort
is involved in learning from scratch since I
have been using it regularly for so long now.

Luckily IP V6 is going to make it all much easier.

http://www.faqs.org/rfcs/rfc1924.html



All times are GMT. The time now is 12:37 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.