Ya, on our CCNP days, it's basically flipping the subnet mask, that's it. :-)
From: michael haynes [mailto:[email protected]] Sent: Tuesday, 19 May 2009 12:03 AM To: Antonio Dee Hotmail Cc: CCIE_RS OnlineStudyList Subject: Re: [OSL | CCIE_RS] ACL filtering blues Antonio, Glad you got it! I do think the 'binary math' is difficult to grasp at first just because, as Scott Morris says, it's a sudden shift in the way we thought about access lists as CCNAs where the text usually equates the wildcard mask to an inverse netmask - obviously not true as you find out while doing these types of problems. Good stuff. Michael On Mon, May 18, 2009 at 10:26 AM, Antonio Dee Hotmail <[email protected]> wrote: Thanks Rob, yup, did i search in the internet, got a list that i can practice, i need to nail this down on my head really hard. Cheers! Antonio From: Robert S Wyzykowski [mailto:[email protected]] Sent: Monday, 18 May 2009 11:45 PM To: Antonio Dee Hotmail Cc: 'CCIE_RS OnlineStudyList'; [email protected] Subject: Re: [OSL | CCIE_RS] ACL filtering blues I had the same concern when I started practicing. You will find as you go through the labs you'll get plenty of practice. There are many examples on Internet as well. Do a search for "ccie access-list". You'll get several hits. Below is an example the type of information you can find on the web. Questions and Answers: 1. Advertise only odd network 210.8.40.0 210.8.41.0 210.8.42.0 210.8.43.0 even 40,42 40 0010 1000 42 0010 1010 0000 0010 odd 41,43 41 0010 1001 43 0010 1011 0000 0010 answer: acl odd 210.8.41.0 0.0.2.x acl even 210.8.40.0 0.0.2.x x = 0 = route x = 255 = host dont care = 1 stings of 32 bits ----- 2. pick only even /24 from 202.78.0.0 / 16 make as few line as possible, permit no more no less. 202.78.00000000.0 202.78.00000010.0 202.78.x.0 0 0000 0000 2 0000 0010 4 0000 0100 6 0000 0110 8 0000 1000 10 0000 1010 1111 1110 = mask = 254 answer : 202.78.0.0 0.0.254.0 even: acl permit 202.78.0.0 0.0.254.0 .0 on last octed means a route! odd : acl permit 202.78.1.0 0.0.254.0 .0 on last octed means a route! ----- 3. Group / Summarize: is a few lines a possible 172.16.31.0 172.16.32.0 172.16.33.0 172.16.34.0 answer: 31.0 32.0 /22 deny 35.0 acl deny 172.16.35.0 0.0.0.0 acl permit 172.16.31.0 0.0.0.0 acl permit 172.16.32.0 0.0.3.0 31 0001 1111 32 0010 0000 33 0010 0001 34 0010 0010 35 0010 0011 <<--not present! 0000 0011 Mask = (3) , 2 bit position difference, so 2 to the 2 is 4, thats 32-35. Tip: You can over permit but make sure you deny the over permitted route. ------ 4. Group / Summarize: is a few lines a possible 172.16.31.0 172.16.32.0 172.16.33.0 172.16.34.0 172.16.35.0 172.16.36.0 172.16.37.0 answers: acl permit 172.16.31.0 0.0.0.0 acl permit 172.16.32.0 0.0.3.0 acl permit 172.16.36.0 0.0.1.0 or acl deny 172.16.38.0 0.0.1.0 acl permit 172.16.31.0 0.0.0.0 acl permit 172.16.32.0 0.0.7.0 Tip: Depends on how you group the routing according the position, will result in same 3 line answer. ------- 5. Summarize in as few lines a possible. 168.192.3.0 /24 168.192.14.0 /24 168.208.11.0 /24 168.208.14.0 /24 168.208.3.0 /24 168.192.11.0 /24 - answer, group first. 168.192.3.0 /24 168.192.11.0 /24 168.208.3.0 /24 168.208.11.0 /24 168.192.14.0 /24 168.208.14.0 /24 then, 192 1100 0000 208 1101 0000 0001 0000 mask = 16 3 0000 0011 11 0000 1011 0000 1000 mask = 8 14 0000 1110 answer: acl permit 168.192.3.0 0.16.8.0 acl permit 168.192.14.0 0.16.0.0 --- 5. summarize in as few lines as possible 207.49.164.0 /24 208.49.164.0 /24 205.49.165.0 /24 207.49.165.0 /24 192.49.164.0 /24 answer, group! 192.49.164.0 /24 208.49.164.0 /24 192 1100 0000 208 1101 0000 0001 0000 mask 16 207.49.164.0 /24 <-stand alone. 207.49.165.0 /24 205.49.165.0 /24 205 1100 1101 207 1100 1111 0000 0010 mask 2 answer: acl permit 192.49.164.0 16.0.0.0 acl permit 205.49.165.0 2.0.0.0 acl permit 207.49.164.0 0.0.0.0 or 192.49.164.0 /24 208.49.164.0 /24 192 1100 0000 208 1101 0000 0001 0000 mask 16 207.49.164.0 /24 207.49.165.0 /24 164 1010 0100 165 1010 0101 0000 0001 mask 1 205.49.165.0 /24 <-stand alone. so, another answer is: acl permit 192.49.164.0 16.0.0.0 acl permit 207.49.164.0 0.0.1.0 acl permit 205.49.165.0 0.0.0.0 ----- 7. Create an ACLin as few line as possible 182.17.73.0 182.17.77.0 182.81.73.0 182.81.77.0 190.17.73.0 190.81.73.0 190.17.77.0 190.81.77.0 190 1011 1110 182 1011 0110 0000 1000 mask 8 17 0001 0001 81 0101 0001 0100 0000 mask 64 73 0100 1001 77 0100 1101 0000 0100 mask = 4 In every octet there is a differnce, so we can put this on a single entry! answer: acl permit 182.17.73.0 8.64.4.0 checking tip: put the middle network say 190.81.73.0 and mask, the router should put the lowest IP address ( 182.17.73.0) to the running config. This will ensure you that you have computed correctly the mask. ---- I can't help it, I have a feeling this should come out and be part of the exam. Therefore this should be a must for all CCIE candidate to master! Robert Wyzykowski Manager, Global Telecommunications IMERYS 30 Mansell Court East - Suite 220 Roswell, GA, USA Phone: +1 770 645 3734 Mobile: +1 404-434 9000 From: "Antonio Dee Hotmail" <[email protected]> To: "'CCIE_RS OnlineStudyList'" <[email protected]> Date: 05/18/2009 09:52 AM Subject: [OSL | CCIE_RS] ACL filtering blues _____ Hi All, Need some help on ACL calculation. This is general ACL filtering scenario. I'm just practicing on ACL filtering especially on the non-continuous wildcards. i've injected this to my test router but i don't seem to get the logic why it's this wildcard. can somebody enlighten me on this? I know 0 in the wildcard are care bits and 1 don't care, just the opposite of a subnet mask. Example Scenario: I get this networks from a backbone router: network 10.10.10.0 network 10.10.11.0 network 10.10.12.0 network 10.10.13.0 network 10.10.14.0 network 10.10.15.0 network 10.10.16.0 I want to filter on the third octet and allow only 10, 13, 14 to come in been playing with various values on the wildcard, and the working value is 0.0.4.0 , WHY???? Kind Regards, Antonio
<<image001.gif>>
