For what ever reason, IOS want the mask for access-list to be the inverse. Most (if not all) people who work with IOS regularly, make some sort of mistakes now and again. So here is good link to put in your bookmarks if you're having trouble doing the math in your head.
Subnet Mask tool for Access-List
----------------------------
Also a tip I found in Packet
A fast and easy way to obtain the inverse or “wildcard” mask is
to subtract the known subnet mask from the broadcast or “all
1’s” address. The inverse mask of a /21 would be as follows:
..255.255.255.255 <- broadcast address
- 255.255.248.0 <- subnet mask for /21
....0...0...7.255 <- inverse mask for /21
---------------------------
Then there is the old CCIE lab trick. (I've heard people who practice for the CCIE lab use this) If you have a router that you can configure an extra OSPF routing process on you can add a network to that OSPF process:
router ospf 1
network 1.1.1.0 255.255.255.192 area 0
Then look at the config:
sho run | inc 1.1.1.0
network 1.1.1.0 0.0.0.63 area 0
Here IOS magicly reverses the mask for you. Why this isn't an option with ACL mask I'll never know.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment