Antonio, Glad you got it! I do think the 'binary math' is difficult to grasp at first just because, as Scott Morris says, it's a sudden shift in the way we thought about access lists as CCNAs where the text usually equates the wildcard mask to an inverse netmask - obviously not true as you find out while doing these types of problems.
Good stuff. Michael On Mon, May 18, 2009 at 10:26 AM, Antonio Dee Hotmail < [email protected]> wrote: > Thanks Rob, > > > > yup, did i search in the internet, got a list that i can practice, > > > > i need to nail this down on my head really hard. > > > > Cheers! > > Antonio > > > > *From:* Robert S Wyzykowski [mailto:[email protected]] > *Sent:* Monday, 18 May 2009 11:45 PM > *To:* Antonio Dee Hotmail > *Cc:* 'CCIE_RS OnlineStudyList'; [email protected] > *Subject:* Re: [OSL | CCIE_RS] ACL filtering blues > > > > > I had the same concern when I started practicing. You will find as you go > through the labs you'll get plenty of practice. > There are many examples on Internet as well. Do a search for "ccie > access-list". You'll get several hits. > > Below is an example the type of information you can find on the web. > > Questions and Answers: > > 1. Advertise only odd network > > 210.8.40.0 > 210.8.41.0 > 210.8.42.0 > 210.8.43.0 > > even 40,42 > > 40 0010 1000 > 42 0010 1010 > 0000 0010 > > odd 41,43 > > 41 0010 1001 > 43 0010 1011 > 0000 0010 > > answer: > acl odd 210.8.41.0 0.0.2.x > acl even 210.8.40.0 0.0.2.x > > x = 0 = route > x = 255 = host > > dont care = 1 > stings of 32 bits > > ————- > > 2. pick only even /24 from 202.78.0.0 / 16 > make as few line as possible, permit no more no less. > > 202.78.00000000.0 > 202.78.00000010.0 > 202.78.x.0 > > 0 0000 0000 > 2 0000 0010 > 4 0000 0100 > 6 0000 0110 > 8 0000 1000 > 10 0000 1010 > > 1111 1110 = mask = 254 > > answer : 202.78.0.0 0.0.254.0 > > even: acl permit 202.78.0.0 0.0.254.0 .0 on last octed means a route! > odd : acl permit 202.78.1.0 0.0.254.0 .0 on last octed means a route! > > ————– > > 3. Group / Summarize: is a few lines a possible > > 172.16.31.0 > 172.16.32.0 > 172.16.33.0 > 172.16.34.0 > > answer: > > 31.0 > > 32.0 /22 > deny 35.0 > > acl deny 172.16.35.0 0.0.0.0 > acl permit 172.16.31.0 0.0.0.0 > acl permit 172.16.32.0 0.0.3.0 > > 31 0001 1111 > > 32 0010 0000 > 33 0010 0001 > > 34 0010 0010 > 35 0010 0011 <<—-not present! > > 0000 0011 Mask = (3) , 2 bit position difference, so 2 to the 2 is 4, thats > 32-35. > > Tip: You can over permit but make sure you deny the over permitted route. > > —————– > > 4. Group / Summarize: is a few lines a possible > > 172.16.31.0 > > 172.16.32.0 > 172.16.33.0 > 172.16.34.0 > 172.16.35.0 > > 172.16.36.0 > 172.16.37.0 > > answers: > > acl permit 172.16.31.0 0.0.0.0 > acl permit 172.16.32.0 0.0.3.0 > acl permit 172.16.36.0 0.0.1.0 > > or > > acl deny 172.16.38.0 0.0.1.0 > acl permit 172.16.31.0 0.0.0.0 > acl permit 172.16.32.0 0.0.7.0 > > Tip: Depends on how you group the routing according the position, will > result in same 3 line answer. > > ——————– > > 5. Summarize in as few lines a possible. > > 168.192.3.0 /24 > 168.192.14.0 /24 > 168.208.11.0 /24 > 168.208.14.0 /24 > 168.208.3.0 /24 > 168.192.11.0 /24 > > — > > answer, group first. > > 168.192.3.0 /24 > 168.192.11.0 /24 > 168.208.3.0 /24 > 168.208.11.0 /24 > > 168.192.14.0 /24 > 168.208.14.0 /24 > > then, > > 192 1100 0000 > 208 1101 0000 > 0001 0000 mask = 16 > > 3 0000 0011 > 11 0000 1011 > 0000 1000 mask = 8 > > 14 0000 1110 > > answer: > acl permit 168.192.3.0 0.16.8.0 > acl permit 168.192.14.0 0.16.0.0 > > ——— > 5. summarize in as few lines as possible > > 207.49.164.0 /24 > 208.49.164.0 /24 > 205.49.165.0 /24 > 207.49.165.0 /24 > 192.49.164.0 /24 > > answer, group! > > 192.49.164.0 /24 > 208.49.164.0 /24 > 192 1100 0000 > 208 1101 0000 > 0001 0000 mask 16 > > 207.49.164.0 /24 <-stand alone. > > 207.49.165.0 /24 > 205.49.165.0 /24 > 205 1100 1101 > 207 1100 1111 > 0000 0010 mask 2 > > answer: > > acl permit 192.49.164.0 16.0.0.0 > acl permit 205.49.165.0 2.0.0.0 > acl permit 207.49.164.0 0.0.0.0 > > or > > 192.49.164.0 /24 > 208.49.164.0 /24 > 192 1100 0000 > 208 1101 0000 > 0001 0000 mask 16 > > 207.49.164.0 /24 > 207.49.165.0 /24 > > 164 1010 0100 > 165 1010 0101 > 0000 0001 mask 1 > > 205.49.165.0 /24 <-stand alone. > > so, another answer is: > > acl permit 192.49.164.0 16.0.0.0 > acl permit 207.49.164.0 0.0.1.0 > acl permit 205.49.165.0 0.0.0.0 > > ————– > 7. Create an ACLin as few line as possible > > 182.17.73.0 > > 182.17.77.0 > 182.81.73.0 > 182.81.77.0 > 190.17.73.0 > 190.81.73.0 > 190.17.77.0 > 190.81.77.0 > > 190 1011 1110 > 182 1011 0110 > 0000 1000 mask 8 > > 17 0001 0001 > 81 0101 0001 > 0100 0000 mask 64 > > 73 0100 1001 > 77 0100 1101 > 0000 0100 mask = 4 > > In every octet there is a differnce, so we can put this on a > > single entry! > > answer: > > acl permit 182.17.73.0 8.64.4.0 > > checking tip: put the middle network say 190.81.73.0 and > > mask, the router should put the lowest IP address ( > > 182.17.73.0) to the running config. This will ensure you that > > you have computed correctly the mask. > > ———– > > I can’t help it, I have a feeling this should come out and be part of the > exam. Therefore this should be a must for all CCIE candidate to master! > > Robert Wyzykowski > Manager, Global Telecommunications > IMERYS > 30 Mansell Court East - Suite 220 > Roswell, GA, USA > Phone: +1 770 645 3734 > Mobile: +1 404-434 9000 > > > > From: > > "Antonio Dee Hotmail" <[email protected]> > > To: > > "'CCIE_RS OnlineStudyList'" <[email protected]> > > Date: > > 05/18/2009 09:52 AM > > Subject: > > [OSL | CCIE_RS] ACL filtering blues > > > ------------------------------ > > > > > Hi All, > > Need some help on ACL calculation. This is general ACL filtering scenario. > > I'm just practicing on ACL filtering especially on the non-continuous > wildcards. > > i've injected this to my test router but i don't seem to get the logic why > it's this wildcard. can somebody enlighten me on this? > > I know 0 in the wildcard are care bits and 1 don't care, just the opposite > of a subnet mask. > > Example Scenario: > > I get this networks from a backbone router: > > network 10.10.10.0 > network 10.10.11.0 > network 10.10.12.0 > network 10.10.13.0 > network 10.10.14.0 > network 10.10.15.0 > network 10.10.16.0 > > I want to filter on the third octet and allow only 10, 13, 14 to come in > > been playing with various values on the wildcard, and the working value is > *0.0.4.0* , WHY???? > > > Kind Regards, > Antonio > > > >
<<image001.gif>>
