I had the same concern when I started practicing. You will find as you go through the labs you'll get plenty of practice. There are many examples on Internet as well. Do a search for "ccie access-list". You'll get several hits.
Below is an example the type of information you can find on the web. Questions and Answers: 1. Advertise only odd network 210.8.40.0 210.8.41.0 210.8.42.0 210.8.43.0 even 40,42 40 0010 1000 42 0010 1010 0000 0010 odd 41,43 41 0010 1001 43 0010 1011 0000 0010 answer: acl odd 210.8.41.0 0.0.2.x acl even 210.8.40.0 0.0.2.x x = 0 = route x = 255 = host dont care = 1 stings of 32 bits ————- 2. pick only even /24 from 202.78.0.0 / 16 make as few line as possible, permit no more no less. 202.78.00000000.0 202.78.00000010.0 202.78.x.0 0 0000 0000 2 0000 0010 4 0000 0100 6 0000 0110 8 0000 1000 10 0000 1010 1111 1110 = mask = 254 answer : 202.78.0.0 0.0.254.0 even: acl permit 202.78.0.0 0.0.254.0 .0 on last octed means a route! odd : acl permit 202.78.1.0 0.0.254.0 .0 on last octed means a route! ————– 3. Group / Summarize: is a few lines a possible 172.16.31.0 172.16.32.0 172.16.33.0 172.16.34.0 answer: 31.0 32.0 /22 deny 35.0 acl deny 172.16.35.0 0.0.0.0 acl permit 172.16.31.0 0.0.0.0 acl permit 172.16.32.0 0.0.3.0 31 0001 1111 32 0010 0000 33 0010 0001 34 0010 0010 35 0010 0011 <<—-not present! 0000 0011 Mask = (3) , 2 bit position difference, so 2 to the 2 is 4, thats 32-35. Tip: You can over permit but make sure you deny the over permitted route. —————– 4. Group / Summarize: is a few lines a possible 172.16.31.0 172.16.32.0 172.16.33.0 172.16.34.0 172.16.35.0 172.16.36.0 172.16.37.0 answers: acl permit 172.16.31.0 0.0.0.0 acl permit 172.16.32.0 0.0.3.0 acl permit 172.16.36.0 0.0.1.0 or acl deny 172.16.38.0 0.0.1.0 acl permit 172.16.31.0 0.0.0.0 acl permit 172.16.32.0 0.0.7.0 Tip: Depends on how you group the routing according the position, will result in same 3 line answer. ——————– 5. Summarize in as few lines a possible. 168.192.3.0 /24 168.192.14.0 /24 168.208.11.0 /24 168.208.14.0 /24 168.208.3.0 /24 168.192.11.0 /24 — answer, group first. 168.192.3.0 /24 168.192.11.0 /24 168.208.3.0 /24 168.208.11.0 /24 168.192.14.0 /24 168.208.14.0 /24 then, 192 1100 0000 208 1101 0000 0001 0000 mask = 16 3 0000 0011 11 0000 1011 0000 1000 mask = 8 14 0000 1110 answer: acl permit 168.192.3.0 0.16.8.0 acl permit 168.192.14.0 0.16.0.0 ——— 5. summarize in as few lines as possible 207.49.164.0 /24 208.49.164.0 /24 205.49.165.0 /24 207.49.165.0 /24 192.49.164.0 /24 answer, group! 192.49.164.0 /24 208.49.164.0 /24 192 1100 0000 208 1101 0000 0001 0000 mask 16 207.49.164.0 /24 <-stand alone. 207.49.165.0 /24 205.49.165.0 /24 205 1100 1101 207 1100 1111 0000 0010 mask 2 answer: acl permit 192.49.164.0 16.0.0.0 acl permit 205.49.165.0 2.0.0.0 acl permit 207.49.164.0 0.0.0.0 or 192.49.164.0 /24 208.49.164.0 /24 192 1100 0000 208 1101 0000 0001 0000 mask 16 207.49.164.0 /24 207.49.165.0 /24 164 1010 0100 165 1010 0101 0000 0001 mask 1 205.49.165.0 /24 <-stand alone. so, another answer is: acl permit 192.49.164.0 16.0.0.0 acl permit 207.49.164.0 0.0.1.0 acl permit 205.49.165.0 0.0.0.0 ————– 7. Create an ACLin as few line as possible 182.17.73.0 182.17.77.0 182.81.73.0 182.81.77.0 190.17.73.0 190.81.73.0 190.17.77.0 190.81.77.0 190 1011 1110 182 1011 0110 0000 1000 mask 8 17 0001 0001 81 0101 0001 0100 0000 mask 64 73 0100 1001 77 0100 1101 0000 0100 mask = 4 In every octet there is a differnce, so we can put this on a single entry! answer: acl permit 182.17.73.0 8.64.4.0 checking tip: put the middle network say 190.81.73.0 and mask, the router should put the lowest IP address ( 182.17.73.0) to the running config. This will ensure you that you have computed correctly the mask. ———– I can’t help it, I have a feeling this should come out and be part of the exam. Therefore this should be a must for all CCIE candidate to master! Robert Wyzykowski Manager, Global Telecommunications IMERYS 30 Mansell Court East - Suite 220 Roswell, GA, USA Phone: +1 770 645 3734 Mobile: +1 404-434 9000 From: "Antonio Dee Hotmail" <[email protected]> To: "'CCIE_RS OnlineStudyList'" <[email protected]> Date: 05/18/2009 09:52 AM Subject: [OSL | CCIE_RS] ACL filtering blues Hi All, Need some help on ACL calculation. This is general ACL filtering scenario. I'm just practicing on ACL filtering especially on the non-continuous wildcards. i've injected this to my test router but i don't seem to get the logic why it's this wildcard. can somebody enlighten me on this? I know 0 in the wildcard are care bits and 1 don't care, just the opposite of a subnet mask. Example Scenario: I get this networks from a backbone router: network 10.10.10.0 network 10.10.11.0 network 10.10.12.0 network 10.10.13.0 network 10.10.14.0 network 10.10.15.0 network 10.10.16.0 I want to filter on the third octet and allow only 10, 13, 14 to come in been playing with various values on the wildcard, and the working value is 0.0.4.0 , WHY???? Kind Regards, Antonio
<<image/gif>>
