Re: [nsp] Access List Question

From: Jon Lewis (jlewis@inorganic5.fdt.net)
Date: Fri Jul 24 1998 - 00:18:54 EDT


On Thu, 23 Jul 1998, RainMaker wrote:

> assuming that I have 10.111.216.0/20 to work with. I enter the following
> to get it routed where I want to go:
>
> ip route 10.11.216.0 255.255.248.0 Serial0/0/2
>
> Now I want to apply a basic filter to prevent spoofing.
>
> access-list 101 deny ip 10.11.216.0 0.0.248.255 any
> access-list 101 permit ip any any
> access-list 102 permit ip 10.11.216.0 0.0.248.255 any
> access-list 102 deny ip any any

You did the inverse netmask thing with octets 1 2 and 4, but not 3. Why?
Wouldn't you really want

 access-list 101 deny ip 10.11.216.0 0.0.15.255 any
 access-list 101 permit ip any any
 access-list 102 permit ip 10.11.216.0 0.0.15.255 any
 access-list 102 deny ip any any

Also...10.111.216.0/20 is invalid even with CIDR. I don't know what the
proper terminology is, but it's what I call "not a natural subnet boundary
for the subnet size". If we say that 10.111.216.0 is a subnet in
10.111.128/17 (the top half of 10.111/16), 10.111..128/17 can be broken up
into 10.111.128/18 and 10.111.192/18.

10.111.192/18 can be split into 10.111.192/19 and 10.111.224/19.
10.111.192/19 can be split into 10.111.192/20 and 10.111.208/20.
10.111.208/20 can be split into 10.111.208/21 and 10.111.216/21.

So 10.111.216.0 can be the network address for a network no larger than
/21.

------------------------------------------------------------------
 Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or
 Network Administrator | drawn and quartered...whichever
 Florida Digital Turnpike | is more convenient.
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____






This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:13 EDT