I just pick 2 binary numbers at random. Just remember your power of 2 as you create a mask. An example is just something I came up with off the top of my head as I wrote this email.
01001110 01010110 01110100 00000000 (for /24 networks) That neans my first network will be 78.86.116.0/24 00010001 00000001 10000000 11111111 (Just like VOD the 4th octet is my hosts) This represents 17.1.128.255 as a wildcard mask. I then count the # of 1's In this case in the 3 octets I get 4. 2^4 = 16 so I know that there will be 16 subnets. I start with the 3rd octet in this case. Since there is only a single 1 the 3rd octet then I know there can only be two possible numbers. I already Have 116 so I just need to find the other by flipping that single bit. In this case it is 244. Take note now the third octet is either 116 or 244. Now do the 2nd octet. Again only one bit can change so I again only have two choices. 86 or 87. Now for the first octet.I have two 1's that means I have 4 possible numbers by flipping those two bits. I already know 78 is one so by flipping the bits I get the following 3 numbers as well. 79, 94, and 95) Now I put them all together. 78.86.116.0/24 what I started with. 78.86.244.0/24 78.87.116.0/24 78.87.244.0/24 79.86.116.0/24 79.86.244.0/24 79.87.116.0/24 79.87.244.0/24 94.86.116.0/24 94.86.244.0/24 94.87.116.0/24 94.87.244.0/24 95.86.116.0/24 95.86.244.0/24 95.87.116.0/24 95.87.244.0/24 Now I know 78.86.116.0/24 with a mask of 17.1.128.255 will give me those networks. I can then change the 78.86.116.0 to something different and come up with a whole new grouping of 16 networks. If I want the answer to have multiple lines then I just repeat the process and change the base network, the mask or both. I then up with another group of IP address. If you do this enough then you can have several practice questions to review in a few months when you have moved on to other topics. Since you are just picking random binary digits the network you are basing the mask off of can be anyone of the 16. It may not always be the lowest ip network as it is in this case. If you like, you can go in the opposite direct for practice. Yes you know the answer already, but it never hurts to work the steps again in the opposite direction. Change all 16 networks to binary and look for the bits that change and those that remain the same. Hope this helps. Rob -----Original Message----- From: Kim Pedersen [mailto:[email protected]] Sent: Monday, June 08, 2009 3:37 PM To: Rob Cc: <[email protected]> Subject: Re: [OSL | CCIE_RS] ACL Wildcards How would you go about this? Kim Sent from my iPhone On 08/06/2009, at 21.35, "Rob" <[email protected]> wrote: > Kim, > > One thing that has helped me understand it is to do it in reverse. > Instead > of getting say 64 address and trying to convert them to one or more, > I start > with an answer I want and work my way backwards. > > I always start with the Binary answer when I do some of these > problems. > > Once I could work them from both directions it made it easy to > understand > them. > > Rob > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kim Pedersen > Sent: Monday, June 08, 2009 2:04 PM > To: Joe Astorino > Cc: [email protected] > Subject: Re: [OSL | CCIE_RS] ACL Wildcards > > Will do :) > > Im assuming its one of the things you go through in the Bootcamps as > well? > > Kim > > Joe Astorino wrote: >> If you have any specific issues let us know, we'll do our best to >> make it > as >> clear as possible for you! >> >> >> Regards, >> >> Joe Astorino >> CCIE #24347 (R&S) >> Sr. Support Engineer - IPexpert, Inc. >> URL: http://www.IPexpert.com >> >> -----Original Message----- >> From: Kim Pedersen [mailto:[email protected]] >> Sent: Monday, June 08, 2009 2:52 PM >> To: Joe Astorino >> Cc: 'Tyson Scott'; [email protected] >> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >> >> Hi, >> >> Okay, hope when i hit the workbooks something gets clearer on what > exactly >> to go through :) >> >> Sincerely, >> Kim >> >> Joe Astorino wrote: >> >>> Yeah, you are right there is no "absolute" way like most things in >>> this business. 2 lines is just an easy example to show the idea...I >>> agree it becomes much more confusing with more. Writing things out >>> always helps me to see the big picture clearer. When you write a >>> line >>> for an ACL think through in your head "OK what EXACT range of >>> addresses does this permit/deny" >>> >>> >>> Regards, >>> >>> Joe Astorino >>> CCIE #24347 (R&S) >>> Sr. Support Engineer - IPexpert, Inc. >>> URL: http://www.IPexpert.com >>> >>> -----Original Message----- >>> From: Kim Pedersen [mailto:[email protected]] >>> Sent: Monday, June 08, 2009 2:46 PM >>> To: Joe Astorino >>> Cc: 'Tyson Scott'; [email protected] >>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>> >>> Hi Joe, >>> >>> Yeah, i can see that working with 2 lines, but how about more? :) >>> and the VOD said it was not an absolute way... >>> Phew.. confusing. >>> >>> Sincerely, >>> Kim >>> >>> Joe Astorino wrote: >>> >>> >>>> Once you do enough of them, you will find your own patterns and >>>> ways, >>>> but if you use simple subtraction and look for the difference to >>>> be a >>>> power of 2 that really helps! For instance in the first octet if >>>> you >>>> have say 192 and 200 ... 200 - 192 = 8 = 2^3 ...so you know you can >>>> match them both with 1 bit in the "8" place. >>>> >>>> >>>> Regards, >>>> >>>> Joe Astorino >>>> CCIE #24347 (R&S) >>>> Sr. Support Engineer - IPexpert, Inc. >>>> URL: http://www.IPexpert.com >>>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of Kim >>>> Pedersen >>>> Sent: Monday, June 08, 2009 2:27 PM >>>> To: Tyson Scott >>>> Cc: [email protected] >>>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>>> >>>> Thanks for all of your help... >>>> >>>> When you guys do it, do you start by writing it all out in binary, >>>> or make an educated guess on what groups together? and it is best >>>> to >>>> start with the first octet and going forward, or the last going >>>> >> backwards? >> >>>> Again, Thanks! >>>> >>>> Sincerely, >>>> Kim Pedersen >>>> >>>> Tyson Scott wrote: >>>> >>>> >>>> >>>>> Yes Correct Kim, >>>>> >>>>> 194 and 193 can defiantly be matched in one line if all the rest >>>>> were the same. In your example none of those could be combined >>>>> into >>>>> one line without matching additional networks. >>>>> >>>>> Regards, >>>>> >>>>> Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - >>>>> IPexpert, Inc. >>>>> >>>>> Telephone: +1.810.326.1444 >>>>> Cell: +1.248.504.7309 >>>>> Fax: +1.810.454.0130 >>>>> Mailto: [email protected] >>>>> >>>>> Join our free online support and peer group communities: >>>>> http://www.IPexpert.com/communities >>>>> >>>>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video >>>>> On Demand and Audio Certification Training Tools for the Cisco >>>>> CCIE >>>>> R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice >>>>> Lab and CCIE Storage Lab Certifications. >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: Kim Pedersen [mailto:[email protected]] >>>>> Sent: Monday, June 08, 2009 2:02 PM >>>>> To: Tyson Scott >>>>> Cc: 'Bryan Bartik'; [email protected] >>>>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>>>> >>>>> Hi Tyson, >>>>> >>>>> In my example, those 4 bits are just in the first octet alone. So >>>>> im assuming we really need to treat the entire address, and not >>>>> just >>>>> by >>>>> >>>>> >>>>> >>>> octet? >>>> >>>> >>>> >>>>> So there's no "set-in-stone" rules to go by, you just sort of >>>>> have >>>>> to group them, see if that matches and go from there? >>>>> >>>>> Finally, in my example, if i add the 193 prefix, I would have 6 >>>>> bits of difference, so the closest i could do in one line is by >>>>> matching 64 nets, and this would give an indication on whether i >>>>> need to narrow it >>>>> >>>>> >>>>> >>>> down? >>>> >>>> >>>> >>>>> Sincerely, >>>>> Kim >>>>> >>>>> Tyson Scott wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> Kim >>>>>> >>>>>> When it has a large amount of differences you need to find >>>>>> similarities between them to put them together >>>>>> >>>>>> 194 is 11000010 >>>>>> 174 is 10101110 >>>>>> >>>>>> This is 4 bit differences so you would have to have 16 entries to >>>>>> match >>>>>> >>>>>> >>>>>> >>>>>> >>>>> them >>>>> >>>>> >>>>> >>>>> >>>>>> as one line without matching additional subnets >>>>>> >>>>>> It is important to also note if they say to not match any >>>>>> additional networks or if they just say to combine them to as few >>>>>> lines without specifying that you can't match additional >>>>>> networks as >>>>>> >> well. >> >>>>>> Regards, >>>>>> >>>>>> Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - >>>>>> IPexpert, Inc. >>>>>> >>>>>> Telephone: +1.810.326.1444 >>>>>> Cell: +1.248.504.7309 >>>>>> Fax: +1.810.454.0130 >>>>>> Mailto: [email protected] >>>>>> >>>>>> Join our free online support and peer group communities: >>>>>> http://www.IPexpert.com/communities >>>>>> >>>>>> IPexpert - The Global Leader in Self-Study, Classroom-Based, >>>>>> Video >>>>>> On >>>>>> >>>>>> >>>>>> >>>>>> >>>>> Demand >>>>> >>>>> >>>>> >>>>> >>>>>> and Audio Certification Training Tools for the Cisco CCIE R&S >>>>>> Lab, >>>>>> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and >>>>>> CCIE Storage Lab Certifications. >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] >>>>>> [mailto:[email protected]] On Behalf Of Kim >>>>>> Pedersen >>>>>> Sent: Monday, June 08, 2009 11:28 AM >>>>>> To: Bryan Bartik >>>>>> Cc: [email protected] >>>>>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>>>>> >>>>>> Hi Bryan, >>>>>> >>>>>> I guess I didnt point out the problem (sounds soo serious :) ), >>>>>> but what if the question states: "make these into as few >>>>>> entries as >>>>>> possible", and they are soo different that it might not end up in >>>>>> one entry (again, with difference in multiple octets). >>>>>> >>>>>> For example (no logic behind choosing these): >>>>>> 194.64.0.96/27 >>>>>> 174.34.87.64/26 >>>>>> 193.23.10.8/30 >>>>>> ... >>>>>> Next, imagine 32 addresses just like this :) >>>>>> >>>>>> How do you go about breaking all of this down? >>>>>> >>>>>> Sincerely, >>>>>> Kim Pedersen >>>>>> >>>>>> Bryan Bartik wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Kim, even if there is more than one octet you still can look at >>>>>>> the number of bits that are different. Example: >>>>>>> >>>>>>> 192.168.0.0 >>>>>>> 192.168.0.1 >>>>>>> 192.168.1.0 >>>>>>> 192.168.1.1 >>>>>>> >>>>>>> The above addresses have 2 bits (bit 0 in the 3rd and 4th >>>>>>> octets) >>>>>>> that differ and we can combine them in one ACL. >>>>>>> >>>>>>> 3rd and 4th octets: >>>>>>> 0000 0000 | 0000 0000 >>>>>>> 0000 0000 | 0000 0001 >>>>>>> 0000 0001 | 0000 0000 >>>>>>> 0000 0001 | 0000 0001 >>>>>>> >>>>>>> 0000 0000 | 0000 0000 AND >>>>>>> 0000 0001 | 0000 0001 XOR >>>>>>> >>>>>>> 192.168.0.0 0.0.1.1 would be the ACL entry. >>>>>>> >>>>>>> -hth >>>>>>> >>>>>>> Bryan Bartik >>>>>>> CCIE #23707 (R&S), CCNP >>>>>>> Sr. Support Engineer - IPexpert, Inc. >>>>>>> URL: http://www.IPexpert.com >>>>>>> >>>>>>> On Mon, Jun 8, 2009 at 7:47 AM, Rodriguez, Jorge >>>>>>> <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>> Jeremy this should help you in doing the calculating >>>>>>> wildcard >>>>>>> mask >>>>>>> >>>>>>> >>>>>>> >>>>>>> http://www.internetworkexpert.com/resources/01700370.htm >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-com >>>>> p >>>>> l >>>>> ex-wil >>>>> >>>>> >>>>> >>>>> >>>>>> dcard-masks-for-access-lists/ >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> Rgds >>>>>>> >>>>>>> Jorge >>>>>>> >>>>>>> >>>>>>> >>>>>>> *From:* [email protected] >>>>>>> <mailto:[email protected]> >>>>>>> [mailto:[email protected] >>>>>>> <mailto:[email protected]>] *On Behalf Of >>>>>>> *JEREMY FURR (RIT Student) >>>>>>> *Sent:* Friday, June 05, 2009 10:12 AM >>>>>>> *To:* [email protected] >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> <mailto:[email protected]> >>>>> >>>>> >>>>> >>>>> >>>>>>> *Subject:* [OSL | CCIE_RS] ACL Wildcards >>>>>>> >>>>>>> >>>>>>> >>>>>>> Does anyone know of a website or book that explains well >>>>>>> how ACL >>>>>>> wildcards work? I have been trying to filter out four >>>>>>> blocks from >>>>>>> a bunch of route advertisments but just can't get the three I > want >>>>>>> through, this is what I have R2 is originating 192.168.2.0/24 >>>>>>> <http://192.168.2.0/24> through 192.168.15.0/24 >>>>>>> <http://192.168.15.0/24> in RIP to R1. I want to only accept >>>>>>> blocks 192.168.5.0, 192.168.10.0, 192.168.13.0 and >>>>>>> 192.168.14.0 >>>>>>> >>>>>>> >>>>>>> >>>>>>> If I use acl with 192.168.10.0 0.0.4.0, I will get 10 and >>>>>>> 14 but >>>>>>> not thirteen. For the 5 network I just use the 192.168.5.0 >>>>>>> 0.0.0.255. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Any thoughts or help would be appreciated. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Jeremy Furr >>>>>>> >>>>>>> [email protected] <mailto:[email protected]> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >> >> > > -- > > // Freedom Matters > // Follow my progress on: http://kpjungle.wordpress.com > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.339 / Virus Database: 270.12.43/2139 - Release Date: > 06/08/09 > 06:01:00 > > No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.339 / Virus Database: 270.12.43/2139 - Release Date: 06/08/09 06:01:00
