Re: [OSL | CCIE_RS] ACL Wildcards

[Kim Pedersen]

Hi,

 Okay, hope when i hit the workbooks something gets clearer on what 
exactly to go through :)

Sincerely,
Kim

Joe Astorino wrote:
Yeah, you are right there is no "absolute" way like most things in this
business.  2 lines is just an easy example to show the idea...I agree it
becomes much more confusing with more.  Writing things out always helps me
to see the big picture clearer.  When you write a line for an ACL think
through in your head "OK what EXACT range of addresses does this
permit/deny" 


Regards,

Joe Astorino 
CCIE #24347 (R&S)
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
 
-----Original Message-----
From: Kim Pedersen [mailto:k.jun...@gmail.com] 
Sent: Monday, June 08, 2009 2:46 PM
To: Joe Astorino
Cc: 'Tyson Scott'; ccie_rs@onlinestudylist.com
Subject: Re: [OSL | CCIE_RS] ACL Wildcards

Hi Joe,

  Yeah, i can see that working with 2 lines, but how about more? :) and the
VOD said it was not an absolute way...
  Phew.. confusing.

Sincerely,
Kim

Joe Astorino wrote:
  
Once you do enough of them, you will find your own patterns and ways, 
but if you use simple subtraction and look for the difference to be a 
power of 2 that really helps!  For instance in the first octet if you 
have say 192 and 200 ... 200 - 192 = 8 = 2^3 ...so you know you can 
match them both with 1 bit in the "8" place.


Regards,

Joe Astorino
CCIE #24347 (R&S)
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
 
-----Original Message-----
From: ccie_rs-boun...@onlinestudylist.com
[mailto:ccie_rs-boun...@onlinestudylist.com] On Behalf Of Kim Pedersen
Sent: Monday, June 08, 2009 2:27 PM
To: Tyson Scott
Cc: ccie_rs@onlinestudylist.com
Subject: Re: [OSL | CCIE_RS] ACL Wildcards

Thanks for all of your help...

  When you guys do it, do you start by writing it all out in binary, 
or make an educated guess on what groups together? and it is best to 
start with the first octet and going forward, or the last going backwards?

 Again, Thanks!

Sincerely,
Kim Pedersen

Tyson Scott wrote:
  
    
Yes Correct Kim,

194 and 193 can defiantly be matched in one line if all the rest were 
the same.  In your example none of those could be combined into one 
line without matching additional networks.

Regards,
 
Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - 
IPexpert, Inc.

Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto:  tsc...@ipexpert.com
 
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
 
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On 
Demand and Audio Certification Training Tools for the Cisco CCIE R&S 
Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab 
and CCIE Storage Lab Certifications.


-----Original Message-----
From: Kim Pedersen [mailto:k.jun...@gmail.com]
Sent: Monday, June 08, 2009 2:02 PM
To: Tyson Scott
Cc: 'Bryan Bartik'; ccie_rs@onlinestudylist.com
Subject: Re: [OSL | CCIE_RS] ACL Wildcards

Hi Tyson,

  In my example, those 4 bits are just in the first octet alone. So 
im assuming we really need to treat the entire address, and not just 
by
    
      
octet?
  
    
  So there's no "set-in-stone" rules to go by, you just sort of have 
to group them, see if that matches and go from there?

  Finally, in my example, if i add the 193 prefix, I would have 6 
bits of difference, so the closest i could do in one line is by 
matching 64 nets, and this would give an indication on whether i need 
to narrow it
    
      
down?
  
    
Sincerely,
Kim

Tyson Scott wrote:
  
    
      
Kim

When it has a large amount of differences you need to find 
similarities between them to put them together

194 is 11000010
174 is 10101110

This is 4 bit differences so you would have to have 16 entries to 
match
    
      
        
them
  
    
      
as one line without matching additional subnets

It is important to also note if they say to not match any additional 
networks or if they just say to combine them to as few lines without 
specifying that you can't match additional networks as well.

Regards,
 
Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - 
IPexpert, Inc.

Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto:  tsc...@ipexpert.com
 
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
 
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video 
On
    
      
        
Demand
  
    
      
and Audio Certification Training Tools for the Cisco CCIE R&S Lab, 
CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and 
CCIE Storage Lab Certifications.


-----Original Message-----
From: ccie_rs-boun...@onlinestudylist.com
[mailto:ccie_rs-boun...@onlinestudylist.com] On Behalf Of Kim 
Pedersen
Sent: Monday, June 08, 2009 11:28 AM
To: Bryan Bartik
Cc: ccie_rs@onlinestudylist.com
Subject: Re: [OSL | CCIE_RS] ACL Wildcards

Hi Bryan,

  I guess I didnt point out the problem (sounds soo serious :) ), 
but what if the question states: "make these into as few entries as 
possible", and they are soo different that it might not end up in 
one entry (again, with difference in multiple octets).

For example (no logic behind choosing these):
194.64.0.96/27
174.34.87.64/26
193.23.10.8/30
...
Next, imagine 32 addresses just like this :)

How do you go about breaking all of this down?

Sincerely,
Kim Pedersen

Bryan Bartik wrote:
  
    
      
        
Kim, even if there is more than one octet you still can look at the 
number of bits that are different. Example:

192.168.0.0
192.168.0.1
192.168.1.0
192.168.1.1

The above addresses have 2 bits (bit 0 in the 3rd and 4th octets) 
that differ and we can combine them in one ACL.

3rd and 4th octets:
0000 0000 | 0000 0000
0000 0000 | 0000 0001
0000 0001 | 0000 0000
0000 0001 | 0000 0001

0000 0000 | 0000 0000 AND
0000 0001 | 0000 0001 XOR

192.168.0.0 0.0.1.1 would be the ACL entry.

-hth

Bryan Bartik
CCIE #23707 (R&S), CCNP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com

On Mon, Jun 8, 2009 at 7:47 AM, Rodriguez, Jorge 
<jlrodrig...@ezecastlesoftware.com
<mailto:jlrodrig...@ezecastlesoftware.com>> wrote:

    Jeremy this should help you in doing the calculating  wildcard 
mask

     

    http://www.internetworkexpert.com/resources/01700370.htm

     


    
      
        
          
http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-comp
l
ex-wil
  
    
      
dcard-masks-for-access-lists/
  
    
      
        
     

    Rgds

    Jorge

     

    *From:* ccie_rs-boun...@onlinestudylist.com
    <mailto:ccie_rs-boun...@onlinestudylist.com>
    [mailto:ccie_rs-boun...@onlinestudylist.com
    <mailto:ccie_rs-boun...@onlinestudylist.com>] *On Behalf Of
    *JEREMY FURR (RIT Student)
    *Sent:* Friday, June 05, 2009 10:12 AM
    *To:* ccie_rs@onlinestudylist.com
      
        
          
<mailto:ccie_rs@onlinestudylist.com>
  
    
      
    *Subject:* [OSL | CCIE_RS] ACL Wildcards

     

    Does anyone know of a website or book that explains well how ACL
    wildcards work? I have been trying to filter out four blocks from
    a bunch of route advertisments but just can't get the three I want
    through, this is what I have R2 is originating 192.168.2.0/24
    <http://192.168.2.0/24> through 192.168.15.0/24
    <http://192.168.15.0/24> in RIP to R1. I want to only accept
    blocks 192.168.5.0, 192.168.10.0, 192.168.13.0 and 192.168.14.0

     

    If I use acl with 192.168.10.0 0.0.4.0, I will get 10 and 14 but
    not thirteen. For the 5 network I just use the 192.168.5.0
    0.0.0.255.  

     

    Any thoughts or help would be appreciated.

     

    Jeremy Furr

    jkf3...@rit.edu <mailto:jkf3...@rit.edu>




--

    
      
        
          
  
    
      
        
  
    
      
  
    

  

--

// Freedom Matters
// Follow my progress on: http://kpjungle.wordpress.com