Kim, One thing that has helped me understand it is to do it in reverse. Instead of getting say 64 address and trying to convert them to one or more, I start with an answer I want and work my way backwards.
I always start with the Binary answer when I do some of these problems. Once I could work them from both directions it made it easy to understand them. Rob -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kim Pedersen Sent: Monday, June 08, 2009 2:04 PM To: Joe Astorino Cc: [email protected] Subject: Re: [OSL | CCIE_RS] ACL Wildcards Will do :) Im assuming its one of the things you go through in the Bootcamps as well? Kim Joe Astorino wrote: > If you have any specific issues let us know, we'll do our best to make it as > clear as possible for you! > > > Regards, > > Joe Astorino > CCIE #24347 (R&S) > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > > -----Original Message----- > From: Kim Pedersen [mailto:[email protected]] > Sent: Monday, June 08, 2009 2:52 PM > To: Joe Astorino > Cc: 'Tyson Scott'; [email protected] > Subject: Re: [OSL | CCIE_RS] ACL Wildcards > > Hi, > > Okay, hope when i hit the workbooks something gets clearer on what exactly > to go through :) > > Sincerely, > Kim > > Joe Astorino wrote: > >> Yeah, you are right there is no "absolute" way like most things in >> this business. 2 lines is just an easy example to show the idea...I >> agree it becomes much more confusing with more. Writing things out >> always helps me to see the big picture clearer. When you write a line >> for an ACL think through in your head "OK what EXACT range of >> addresses does this permit/deny" >> >> >> Regards, >> >> Joe Astorino >> CCIE #24347 (R&S) >> Sr. Support Engineer - IPexpert, Inc. >> URL: http://www.IPexpert.com >> >> -----Original Message----- >> From: Kim Pedersen [mailto:[email protected]] >> Sent: Monday, June 08, 2009 2:46 PM >> To: Joe Astorino >> Cc: 'Tyson Scott'; [email protected] >> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >> >> Hi Joe, >> >> Yeah, i can see that working with 2 lines, but how about more? :) >> and the VOD said it was not an absolute way... >> Phew.. confusing. >> >> Sincerely, >> Kim >> >> Joe Astorino wrote: >> >> >>> Once you do enough of them, you will find your own patterns and ways, >>> but if you use simple subtraction and look for the difference to be a >>> power of 2 that really helps! For instance in the first octet if you >>> have say 192 and 200 ... 200 - 192 = 8 = 2^3 ...so you know you can >>> match them both with 1 bit in the "8" place. >>> >>> >>> Regards, >>> >>> Joe Astorino >>> CCIE #24347 (R&S) >>> Sr. Support Engineer - IPexpert, Inc. >>> URL: http://www.IPexpert.com >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Kim >>> Pedersen >>> Sent: Monday, June 08, 2009 2:27 PM >>> To: Tyson Scott >>> Cc: [email protected] >>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>> >>> Thanks for all of your help... >>> >>> When you guys do it, do you start by writing it all out in binary, >>> or make an educated guess on what groups together? and it is best to >>> start with the first octet and going forward, or the last going >>> > backwards? > >>> Again, Thanks! >>> >>> Sincerely, >>> Kim Pedersen >>> >>> Tyson Scott wrote: >>> >>> >>> >>>> Yes Correct Kim, >>>> >>>> 194 and 193 can defiantly be matched in one line if all the rest >>>> were the same. In your example none of those could be combined into >>>> one line without matching additional networks. >>>> >>>> Regards, >>>> >>>> Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - >>>> IPexpert, Inc. >>>> >>>> Telephone: +1.810.326.1444 >>>> Cell: +1.248.504.7309 >>>> Fax: +1.810.454.0130 >>>> Mailto: [email protected] >>>> >>>> Join our free online support and peer group communities: >>>> http://www.IPexpert.com/communities >>>> >>>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video >>>> On Demand and Audio Certification Training Tools for the Cisco CCIE >>>> R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice >>>> Lab and CCIE Storage Lab Certifications. >>>> >>>> >>>> -----Original Message----- >>>> From: Kim Pedersen [mailto:[email protected]] >>>> Sent: Monday, June 08, 2009 2:02 PM >>>> To: Tyson Scott >>>> Cc: 'Bryan Bartik'; [email protected] >>>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>>> >>>> Hi Tyson, >>>> >>>> In my example, those 4 bits are just in the first octet alone. So >>>> im assuming we really need to treat the entire address, and not just >>>> by >>>> >>>> >>>> >>> octet? >>> >>> >>> >>>> So there's no "set-in-stone" rules to go by, you just sort of have >>>> to group them, see if that matches and go from there? >>>> >>>> Finally, in my example, if i add the 193 prefix, I would have 6 >>>> bits of difference, so the closest i could do in one line is by >>>> matching 64 nets, and this would give an indication on whether i >>>> need to narrow it >>>> >>>> >>>> >>> down? >>> >>> >>> >>>> Sincerely, >>>> Kim >>>> >>>> Tyson Scott wrote: >>>> >>>> >>>> >>>> >>>>> Kim >>>>> >>>>> When it has a large amount of differences you need to find >>>>> similarities between them to put them together >>>>> >>>>> 194 is 11000010 >>>>> 174 is 10101110 >>>>> >>>>> This is 4 bit differences so you would have to have 16 entries to >>>>> match >>>>> >>>>> >>>>> >>>>> >>>> them >>>> >>>> >>>> >>>> >>>>> as one line without matching additional subnets >>>>> >>>>> It is important to also note if they say to not match any >>>>> additional networks or if they just say to combine them to as few >>>>> lines without specifying that you can't match additional networks as >>>>> > well. > >>>>> Regards, >>>>> >>>>> Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - >>>>> IPexpert, Inc. >>>>> >>>>> Telephone: +1.810.326.1444 >>>>> Cell: +1.248.504.7309 >>>>> Fax: +1.810.454.0130 >>>>> Mailto: [email protected] >>>>> >>>>> Join our free online support and peer group communities: >>>>> http://www.IPexpert.com/communities >>>>> >>>>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video >>>>> On >>>>> >>>>> >>>>> >>>>> >>>> Demand >>>> >>>> >>>> >>>> >>>>> and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >>>>> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and >>>>> CCIE Storage Lab Certifications. >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: [email protected] >>>>> [mailto:[email protected]] On Behalf Of Kim >>>>> Pedersen >>>>> Sent: Monday, June 08, 2009 11:28 AM >>>>> To: Bryan Bartik >>>>> Cc: [email protected] >>>>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>>>> >>>>> Hi Bryan, >>>>> >>>>> I guess I didnt point out the problem (sounds soo serious :) ), >>>>> but what if the question states: "make these into as few entries as >>>>> possible", and they are soo different that it might not end up in >>>>> one entry (again, with difference in multiple octets). >>>>> >>>>> For example (no logic behind choosing these): >>>>> 194.64.0.96/27 >>>>> 174.34.87.64/26 >>>>> 193.23.10.8/30 >>>>> ... >>>>> Next, imagine 32 addresses just like this :) >>>>> >>>>> How do you go about breaking all of this down? >>>>> >>>>> Sincerely, >>>>> Kim Pedersen >>>>> >>>>> Bryan Bartik wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> Kim, even if there is more than one octet you still can look at >>>>>> the number of bits that are different. Example: >>>>>> >>>>>> 192.168.0.0 >>>>>> 192.168.0.1 >>>>>> 192.168.1.0 >>>>>> 192.168.1.1 >>>>>> >>>>>> The above addresses have 2 bits (bit 0 in the 3rd and 4th octets) >>>>>> that differ and we can combine them in one ACL. >>>>>> >>>>>> 3rd and 4th octets: >>>>>> 0000 0000 | 0000 0000 >>>>>> 0000 0000 | 0000 0001 >>>>>> 0000 0001 | 0000 0000 >>>>>> 0000 0001 | 0000 0001 >>>>>> >>>>>> 0000 0000 | 0000 0000 AND >>>>>> 0000 0001 | 0000 0001 XOR >>>>>> >>>>>> 192.168.0.0 0.0.1.1 would be the ACL entry. >>>>>> >>>>>> -hth >>>>>> >>>>>> Bryan Bartik >>>>>> CCIE #23707 (R&S), CCNP >>>>>> Sr. Support Engineer - IPexpert, Inc. >>>>>> URL: http://www.IPexpert.com >>>>>> >>>>>> On Mon, Jun 8, 2009 at 7:47 AM, Rodriguez, Jorge >>>>>> <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>> Jeremy this should help you in doing the calculating wildcard >>>>>> mask >>>>>> >>>>>> >>>>>> >>>>>> http://www.internetworkexpert.com/resources/01700370.htm >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>> http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-com >>>> p >>>> l >>>> ex-wil >>>> >>>> >>>> >>>> >>>>> dcard-masks-for-access-lists/ >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>> Rgds >>>>>> >>>>>> Jorge >>>>>> >>>>>> >>>>>> >>>>>> *From:* [email protected] >>>>>> <mailto:[email protected]> >>>>>> [mailto:[email protected] >>>>>> <mailto:[email protected]>] *On Behalf Of >>>>>> *JEREMY FURR (RIT Student) >>>>>> *Sent:* Friday, June 05, 2009 10:12 AM >>>>>> *To:* [email protected] >>>>>> >>>>>> >>>>>> >>>>>> >>>> <mailto:[email protected]> >>>> >>>> >>>> >>>> >>>>>> *Subject:* [OSL | CCIE_RS] ACL Wildcards >>>>>> >>>>>> >>>>>> >>>>>> Does anyone know of a website or book that explains well how ACL >>>>>> wildcards work? I have been trying to filter out four blocks from >>>>>> a bunch of route advertisments but just can't get the three I want >>>>>> through, this is what I have R2 is originating 192.168.2.0/24 >>>>>> <http://192.168.2.0/24> through 192.168.15.0/24 >>>>>> <http://192.168.15.0/24> in RIP to R1. I want to only accept >>>>>> blocks 192.168.5.0, 192.168.10.0, 192.168.13.0 and >>>>>> 192.168.14.0 >>>>>> >>>>>> >>>>>> >>>>>> If I use acl with 192.168.10.0 0.0.4.0, I will get 10 and 14 but >>>>>> not thirteen. For the 5 network I just use the 192.168.5.0 >>>>>> 0.0.0.255. >>>>>> >>>>>> >>>>>> >>>>>> Any thoughts or help would be appreciated. >>>>>> >>>>>> >>>>>> >>>>>> Jeremy Furr >>>>>> >>>>>> [email protected] <mailto:[email protected]> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >> >> > > -- // Freedom Matters // Follow my progress on: http://kpjungle.wordpress.com No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.339 / Virus Database: 270.12.43/2139 - Release Date: 06/08/09 06:01:00
