background image
468
Chapter 9
Managing Traffic with Access Lists
When you need to specify a range of addresses, you choose the next-largest
block size for your needs. For example, if you need to specify 34 networks, you
need a block size of 64. If you want to specify 18 hosts, you need a block size
of 32. If you only specify two networks, then a block size of 4 would work.
Wildcards are used with the host or network address to tell the router a
range of available addresses to filter. To specify a host, the address would
look like this:
172.16.30.5 0.0.0.0
The four zeros represent each octet of the address. Whenever a zero is
present, it means that octet in the address must match exactly. To specify
that an octet can be any value, the value of 255 is used. As an example, here
is how a full subnet is specified with a wildcard:
172.16.30.0 0.0.0.255
This tells the router to match up the first three octets exactly, but the
fourth octet can be any value.
Now, that was the easy part. What if you want to specify only a small
range of subnets? This is where the block sizes come in. You have to specify
the range of values in a block size. In other words, you can't choose to
specify 20 networks. You can only specify the exact amount as the block size
value. For example, the range would either have to be 16 or 32, but not 20.
Let's say that you want to block access to part of network that is in the
range from 172.16.8.0 through 172.16.15.0. That is a block size of 8. Your
network number would be 172.16.8.0, and the wildcard would be 0.0.7.255.
Whoa! What is that? The 7.255 is what the router uses to determine the block
size. The network and wildcard tell the router to start at 172.16.8.0 and go up
a block size of eight addresses to network 172.16.15.0.
It is actually easier than it looks. I could certainly go through the binary
math for you, but actually all you have to do is remember that the wildcard
is always one number less than the block size. So, in our example, the wild-
card would be 7 since our block size is 8. If you used a block size of 16, the
wildcard would be 15. Easy, huh?
We'll go through some examples to help you really understand it. The fol-
lowing example tells the router to match the first three octets exactly but that
the fourth octet can be anything.
RouterA(config)#
access-list 10 deny 172.16.10.0 0.0.0.255
The next example tells the router to match the first two octets and that the
last two octets can be any value.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com