If you have any specific issues let us know, we'll do our best to make it as clear as possible for you!
Regards, Joe Astorino CCIE #24347 (R&S) Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com -----Original Message----- From: Kim Pedersen [mailto:[email protected]] Sent: Monday, June 08, 2009 2:52 PM To: Joe Astorino Cc: 'Tyson Scott'; [email protected] Subject: Re: [OSL | CCIE_RS] ACL Wildcards Hi, Okay, hope when i hit the workbooks something gets clearer on what exactly to go through :) Sincerely, Kim Joe Astorino wrote: > Yeah, you are right there is no "absolute" way like most things in > this business. 2 lines is just an easy example to show the idea...I > agree it becomes much more confusing with more. Writing things out > always helps me to see the big picture clearer. When you write a line > for an ACL think through in your head "OK what EXACT range of > addresses does this permit/deny" > > > Regards, > > Joe Astorino > CCIE #24347 (R&S) > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > > -----Original Message----- > From: Kim Pedersen [mailto:[email protected]] > Sent: Monday, June 08, 2009 2:46 PM > To: Joe Astorino > Cc: 'Tyson Scott'; [email protected] > Subject: Re: [OSL | CCIE_RS] ACL Wildcards > > Hi Joe, > > Yeah, i can see that working with 2 lines, but how about more? :) > and the VOD said it was not an absolute way... > Phew.. confusing. > > Sincerely, > Kim > > Joe Astorino wrote: > >> Once you do enough of them, you will find your own patterns and ways, >> but if you use simple subtraction and look for the difference to be a >> power of 2 that really helps! For instance in the first octet if you >> have say 192 and 200 ... 200 - 192 = 8 = 2^3 ...so you know you can >> match them both with 1 bit in the "8" place. >> >> >> Regards, >> >> Joe Astorino >> CCIE #24347 (R&S) >> Sr. Support Engineer - IPexpert, Inc. >> URL: http://www.IPexpert.com >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Kim >> Pedersen >> Sent: Monday, June 08, 2009 2:27 PM >> To: Tyson Scott >> Cc: [email protected] >> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >> >> Thanks for all of your help... >> >> When you guys do it, do you start by writing it all out in binary, >> or make an educated guess on what groups together? and it is best to >> start with the first octet and going forward, or the last going backwards? >> >> Again, Thanks! >> >> Sincerely, >> Kim Pedersen >> >> Tyson Scott wrote: >> >> >>> Yes Correct Kim, >>> >>> 194 and 193 can defiantly be matched in one line if all the rest >>> were the same. In your example none of those could be combined into >>> one line without matching additional networks. >>> >>> Regards, >>> >>> Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - >>> IPexpert, Inc. >>> >>> Telephone: +1.810.326.1444 >>> Cell: +1.248.504.7309 >>> Fax: +1.810.454.0130 >>> Mailto: [email protected] >>> >>> Join our free online support and peer group communities: >>> http://www.IPexpert.com/communities >>> >>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video >>> On Demand and Audio Certification Training Tools for the Cisco CCIE >>> R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice >>> Lab and CCIE Storage Lab Certifications. >>> >>> >>> -----Original Message----- >>> From: Kim Pedersen [mailto:[email protected]] >>> Sent: Monday, June 08, 2009 2:02 PM >>> To: Tyson Scott >>> Cc: 'Bryan Bartik'; [email protected] >>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>> >>> Hi Tyson, >>> >>> In my example, those 4 bits are just in the first octet alone. So >>> im assuming we really need to treat the entire address, and not just >>> by >>> >>> >> octet? >> >> >>> So there's no "set-in-stone" rules to go by, you just sort of have >>> to group them, see if that matches and go from there? >>> >>> Finally, in my example, if i add the 193 prefix, I would have 6 >>> bits of difference, so the closest i could do in one line is by >>> matching 64 nets, and this would give an indication on whether i >>> need to narrow it >>> >>> >> down? >> >> >>> Sincerely, >>> Kim >>> >>> Tyson Scott wrote: >>> >>> >>> >>>> Kim >>>> >>>> When it has a large amount of differences you need to find >>>> similarities between them to put them together >>>> >>>> 194 is 11000010 >>>> 174 is 10101110 >>>> >>>> This is 4 bit differences so you would have to have 16 entries to >>>> match >>>> >>>> >>>> >>> them >>> >>> >>> >>>> as one line without matching additional subnets >>>> >>>> It is important to also note if they say to not match any >>>> additional networks or if they just say to combine them to as few >>>> lines without specifying that you can't match additional networks as well. >>>> >>>> Regards, >>>> >>>> Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - >>>> IPexpert, Inc. >>>> >>>> Telephone: +1.810.326.1444 >>>> Cell: +1.248.504.7309 >>>> Fax: +1.810.454.0130 >>>> Mailto: [email protected] >>>> >>>> Join our free online support and peer group communities: >>>> http://www.IPexpert.com/communities >>>> >>>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video >>>> On >>>> >>>> >>>> >>> Demand >>> >>> >>> >>>> and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >>>> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and >>>> CCIE Storage Lab Certifications. >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of Kim >>>> Pedersen >>>> Sent: Monday, June 08, 2009 11:28 AM >>>> To: Bryan Bartik >>>> Cc: [email protected] >>>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>>> >>>> Hi Bryan, >>>> >>>> I guess I didnt point out the problem (sounds soo serious :) ), >>>> but what if the question states: "make these into as few entries as >>>> possible", and they are soo different that it might not end up in >>>> one entry (again, with difference in multiple octets). >>>> >>>> For example (no logic behind choosing these): >>>> 194.64.0.96/27 >>>> 174.34.87.64/26 >>>> 193.23.10.8/30 >>>> ... >>>> Next, imagine 32 addresses just like this :) >>>> >>>> How do you go about breaking all of this down? >>>> >>>> Sincerely, >>>> Kim Pedersen >>>> >>>> Bryan Bartik wrote: >>>> >>>> >>>> >>>> >>>>> Kim, even if there is more than one octet you still can look at >>>>> the number of bits that are different. Example: >>>>> >>>>> 192.168.0.0 >>>>> 192.168.0.1 >>>>> 192.168.1.0 >>>>> 192.168.1.1 >>>>> >>>>> The above addresses have 2 bits (bit 0 in the 3rd and 4th octets) >>>>> that differ and we can combine them in one ACL. >>>>> >>>>> 3rd and 4th octets: >>>>> 0000 0000 | 0000 0000 >>>>> 0000 0000 | 0000 0001 >>>>> 0000 0001 | 0000 0000 >>>>> 0000 0001 | 0000 0001 >>>>> >>>>> 0000 0000 | 0000 0000 AND >>>>> 0000 0001 | 0000 0001 XOR >>>>> >>>>> 192.168.0.0 0.0.1.1 would be the ACL entry. >>>>> >>>>> -hth >>>>> >>>>> Bryan Bartik >>>>> CCIE #23707 (R&S), CCNP >>>>> Sr. Support Engineer - IPexpert, Inc. >>>>> URL: http://www.IPexpert.com >>>>> >>>>> On Mon, Jun 8, 2009 at 7:47 AM, Rodriguez, Jorge >>>>> <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> Jeremy this should help you in doing the calculating wildcard >>>>> mask >>>>> >>>>> >>>>> >>>>> http://www.internetworkexpert.com/resources/01700370.htm >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-com >>> p >>> l >>> ex-wil >>> >>> >>> >>>> dcard-masks-for-access-lists/ >>>> >>>> >>>> >>>> >>>>> >>>>> >>>>> Rgds >>>>> >>>>> Jorge >>>>> >>>>> >>>>> >>>>> *From:* [email protected] >>>>> <mailto:[email protected]> >>>>> [mailto:[email protected] >>>>> <mailto:[email protected]>] *On Behalf Of >>>>> *JEREMY FURR (RIT Student) >>>>> *Sent:* Friday, June 05, 2009 10:12 AM >>>>> *To:* [email protected] >>>>> >>>>> >>>>> >>> <mailto:[email protected]> >>> >>> >>> >>>>> *Subject:* [OSL | CCIE_RS] ACL Wildcards >>>>> >>>>> >>>>> >>>>> Does anyone know of a website or book that explains well how ACL >>>>> wildcards work? I have been trying to filter out four blocks from >>>>> a bunch of route advertisments but just can't get the three I want >>>>> through, this is what I have R2 is originating 192.168.2.0/24 >>>>> <http://192.168.2.0/24> through 192.168.15.0/24 >>>>> <http://192.168.15.0/24> in RIP to R1. I want to only accept >>>>> blocks 192.168.5.0, 192.168.10.0, 192.168.13.0 and >>>>> 192.168.14.0 >>>>> >>>>> >>>>> >>>>> If I use acl with 192.168.10.0 0.0.4.0, I will get 10 and 14 but >>>>> not thirteen. For the 5 network I just use the 192.168.5.0 >>>>> 0.0.0.255. >>>>> >>>>> >>>>> >>>>> Any thoughts or help would be appreciated. >>>>> >>>>> >>>>> >>>>> Jeremy Furr >>>>> >>>>> [email protected] <mailto:[email protected]> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >> >> > > -- // Freedom Matters // Follow my progress on: http://kpjungle.wordpress.com No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.339 / Virus Database: 270.12.54/2158 - Release Date: 06/08/09 06:01:00
