Another thing to think about "creatively" while trying to follow the least amount of lines scenarios ( or any as far as that goes ) is to never rule out your first line in an ACL to be a deny statement.
I personally always write them out in binary. Do this enough times then you will begin to think in binary and then you will be assimilated:-) Larry Hadrava CCIE #12203 CCNP CCNA Sr. Support Engineer – IPexpert, Inc. URL: http://www.IPexpert.com On Mon, Jun 8, 2009 at 4:36 PM, Kim Pedersen <[email protected]> wrote: > How would you go about this? > > Kim > > Sent from my iPhone > > On 08/06/2009, at 21.35, "Rob" <[email protected]> wrote: > > Kim, >> >> One thing that has helped me understand it is to do it in reverse. >> Instead >> of getting say 64 address and trying to convert them to one or more, I >> start >> with an answer I want and work my way backwards. >> >> I always start with the Binary answer when I do some of these problems. >> >> Once I could work them from both directions it made it easy to understand >> them. >> >> Rob >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Kim Pedersen >> Sent: Monday, June 08, 2009 2:04 PM >> To: Joe Astorino >> Cc: [email protected] >> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >> >> Will do :) >> >> Im assuming its one of the things you go through in the Bootcamps as well? >> >> Kim >> >> Joe Astorino wrote: >> >>> If you have any specific issues let us know, we'll do our best to make it >>> >> as >> >>> clear as possible for you! >>> >>> >>> Regards, >>> >>> Joe Astorino >>> CCIE #24347 (R&S) >>> Sr. Support Engineer - IPexpert, Inc. >>> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >>> >>> -----Original Message----- >>> From: Kim Pedersen [mailto:[email protected]] >>> Sent: Monday, June 08, 2009 2:52 PM >>> To: Joe Astorino >>> Cc: 'Tyson Scott'; [email protected] >>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>> >>> Hi, >>> >>> Okay, hope when i hit the workbooks something gets clearer on what >>> >> exactly >> >>> to go through :) >>> >>> Sincerely, >>> Kim >>> >>> Joe Astorino wrote: >>> >>> Yeah, you are right there is no "absolute" way like most things in >>>> this business. 2 lines is just an easy example to show the idea...I >>>> agree it becomes much more confusing with more. Writing things out >>>> always helps me to see the big picture clearer. When you write a line >>>> for an ACL think through in your head "OK what EXACT range of >>>> addresses does this permit/deny" >>>> >>>> >>>> Regards, >>>> >>>> Joe Astorino >>>> CCIE #24347 (R&S) >>>> Sr. Support Engineer - IPexpert, Inc. >>>> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >>>> >>>> -----Original Message----- >>>> From: Kim Pedersen [mailto:[email protected]] >>>> Sent: Monday, June 08, 2009 2:46 PM >>>> To: Joe Astorino >>>> Cc: 'Tyson Scott'; [email protected] >>>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>>> >>>> Hi Joe, >>>> >>>> Yeah, i can see that working with 2 lines, but how about more? :) >>>> and the VOD said it was not an absolute way... >>>> Phew.. confusing. >>>> >>>> Sincerely, >>>> Kim >>>> >>>> Joe Astorino wrote: >>>> >>>> >>>> Once you do enough of them, you will find your own patterns and ways, >>>>> but if you use simple subtraction and look for the difference to be a >>>>> power of 2 that really helps! For instance in the first octet if you >>>>> have say 192 and 200 ... 200 - 192 = 8 = 2^3 ...so you know you can >>>>> match them both with 1 bit in the "8" place. >>>>> >>>>> >>>>> Regards, >>>>> >>>>> Joe Astorino >>>>> CCIE #24347 (R&S) >>>>> Sr. Support Engineer - IPexpert, Inc. >>>>> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >>>>> >>>>> -----Original Message----- >>>>> From: [email protected] >>>>> [mailto:[email protected]] On Behalf Of Kim >>>>> Pedersen >>>>> Sent: Monday, June 08, 2009 2:27 PM >>>>> To: Tyson Scott >>>>> Cc: [email protected] >>>>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>>>> >>>>> Thanks for all of your help... >>>>> >>>>> When you guys do it, do you start by writing it all out in binary, >>>>> or make an educated guess on what groups together? and it is best to >>>>> start with the first octet and going forward, or the last going >>>>> >>>>> backwards? >>> >>> Again, Thanks! >>>>> >>>>> Sincerely, >>>>> Kim Pedersen >>>>> >>>>> Tyson Scott wrote: >>>>> >>>>> >>>>> >>>>> Yes Correct Kim, >>>>>> >>>>>> 194 and 193 can defiantly be matched in one line if all the rest >>>>>> were the same. In your example none of those could be combined into >>>>>> one line without matching additional networks. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - >>>>>> IPexpert, Inc. >>>>>> >>>>>> Telephone: +1.810.326.1444 >>>>>> Cell: +1.248.504.7309 >>>>>> Fax: +1.810.454.0130 >>>>>> Mailto: [email protected] >>>>>> >>>>>> Join our free online support and peer group communities: >>>>>> http://www.IPexpert.com/communities<http://www.ipexpert.com/communities> >>>>>> >>>>>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video >>>>>> On Demand and Audio Certification Training Tools for the Cisco CCIE >>>>>> R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice >>>>>> Lab and CCIE Storage Lab Certifications. >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: Kim Pedersen [mailto:[email protected]] >>>>>> Sent: Monday, June 08, 2009 2:02 PM >>>>>> To: Tyson Scott >>>>>> Cc: 'Bryan Bartik'; [email protected] >>>>>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>>>>> >>>>>> Hi Tyson, >>>>>> >>>>>> In my example, those 4 bits are just in the first octet alone. So >>>>>> im assuming we really need to treat the entire address, and not just >>>>>> by >>>>>> >>>>>> >>>>>> >>>>>> octet? >>>>> >>>>> >>>>> >>>>> So there's no "set-in-stone" rules to go by, you just sort of have >>>>>> to group them, see if that matches and go from there? >>>>>> >>>>>> Finally, in my example, if i add the 193 prefix, I would have 6 >>>>>> bits of difference, so the closest i could do in one line is by >>>>>> matching 64 nets, and this would give an indication on whether i >>>>>> need to narrow it >>>>>> >>>>>> >>>>>> >>>>>> down? >>>>> >>>>> >>>>> >>>>> Sincerely, >>>>>> Kim >>>>>> >>>>>> Tyson Scott wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Kim >>>>>>> >>>>>>> When it has a large amount of differences you need to find >>>>>>> similarities between them to put them together >>>>>>> >>>>>>> 194 is 11000010 >>>>>>> 174 is 10101110 >>>>>>> >>>>>>> This is 4 bit differences so you would have to have 16 entries to >>>>>>> match >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> them >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> as one line without matching additional subnets >>>>>>> >>>>>>> It is important to also note if they say to not match any >>>>>>> additional networks or if they just say to combine them to as few >>>>>>> lines without specifying that you can't match additional networks as >>>>>>> >>>>>>> well. >>> >>> Regards, >>>>>>> >>>>>>> Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - >>>>>>> IPexpert, Inc. >>>>>>> >>>>>>> Telephone: +1.810.326.1444 >>>>>>> Cell: +1.248.504.7309 >>>>>>> Fax: +1.810.454.0130 >>>>>>> Mailto: [email protected] >>>>>>> >>>>>>> Join our free online support and peer group communities: >>>>>>> http://www.IPexpert.com/communities<http://www.ipexpert.com/communities> >>>>>>> >>>>>>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video >>>>>>> On >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Demand >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >>>>>>> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and >>>>>>> CCIE Storage Lab Certifications. >>>>>>> >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: [email protected] >>>>>>> [mailto:[email protected]] On Behalf Of Kim >>>>>>> Pedersen >>>>>>> Sent: Monday, June 08, 2009 11:28 AM >>>>>>> To: Bryan Bartik >>>>>>> Cc: [email protected] >>>>>>> Subject: Re: [OSL | CCIE_RS] ACL Wildcards >>>>>>> >>>>>>> Hi Bryan, >>>>>>> >>>>>>> I guess I didnt point out the problem (sounds soo serious :) ), >>>>>>> but what if the question states: "make these into as few entries as >>>>>>> possible", and they are soo different that it might not end up in >>>>>>> one entry (again, with difference in multiple octets). >>>>>>> >>>>>>> For example (no logic behind choosing these): >>>>>>> 194.64.0.96/27 >>>>>>> 174.34.87.64/26 >>>>>>> 193.23.10.8/30 >>>>>>> ... >>>>>>> Next, imagine 32 addresses just like this :) >>>>>>> >>>>>>> How do you go about breaking all of this down? >>>>>>> >>>>>>> Sincerely, >>>>>>> Kim Pedersen >>>>>>> >>>>>>> Bryan Bartik wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Kim, even if there is more than one octet you still can look at >>>>>>>> the number of bits that are different. Example: >>>>>>>> >>>>>>>> 192.168.0.0 >>>>>>>> 192.168.0.1 >>>>>>>> 192.168.1.0 >>>>>>>> 192.168.1.1 >>>>>>>> >>>>>>>> The above addresses have 2 bits (bit 0 in the 3rd and 4th octets) >>>>>>>> that differ and we can combine them in one ACL. >>>>>>>> >>>>>>>> 3rd and 4th octets: >>>>>>>> 0000 0000 | 0000 0000 >>>>>>>> 0000 0000 | 0000 0001 >>>>>>>> 0000 0001 | 0000 0000 >>>>>>>> 0000 0001 | 0000 0001 >>>>>>>> >>>>>>>> 0000 0000 | 0000 0000 AND >>>>>>>> 0000 0001 | 0000 0001 XOR >>>>>>>> >>>>>>>> 192.168.0.0 0.0.1.1 would be the ACL entry. >>>>>>>> >>>>>>>> -hth >>>>>>>> >>>>>>>> Bryan Bartik >>>>>>>> CCIE #23707 (R&S), CCNP >>>>>>>> Sr. Support Engineer - IPexpert, Inc. >>>>>>>> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >>>>>>>> >>>>>>>> On Mon, Jun 8, 2009 at 7:47 AM, Rodriguez, Jorge >>>>>>>> <[email protected] >>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>> >>>>>>>> Jeremy this should help you in doing the calculating wildcard >>>>>>>> mask >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> http://www.internetworkexpert.com/resources/01700370.htm >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-com >>>>>> p >>>>>> l >>>>>> ex-wil >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> dcard-masks-for-access-lists/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> Rgds >>>>>>>> >>>>>>>> Jorge >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *From:* [email protected] >>>>>>>> <mailto:[email protected]> >>>>>>>> [mailto:[email protected] >>>>>>>> <mailto:[email protected]>] *On Behalf Of >>>>>>>> *JEREMY FURR (RIT Student) >>>>>>>> *Sent:* Friday, June 05, 2009 10:12 AM >>>>>>>> *To:* [email protected] >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> <mailto:[email protected]> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> *Subject:* [OSL | CCIE_RS] ACL Wildcards >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Does anyone know of a website or book that explains well how ACL >>>>>>>> wildcards work? I have been trying to filter out four blocks from >>>>>>>> a bunch of route advertisments but just can't get the three I >>>>>>>> >>>>>>> want >> >>> through, this is what I have R2 is originating 192.168.2.0/24 >>>>>>>> <http://192.168.2.0/24> through 192.168.15.0/24 >>>>>>>> <http://192.168.15.0/24> in RIP to R1. I want to only accept >>>>>>>> blocks 192.168.5.0, 192.168.10.0, 192.168.13.0 and >>>>>>>> 192.168.14.0 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> If I use acl with 192.168.10.0 0.0.4.0, I will get 10 and 14 but >>>>>>>> not thirteen. For the 5 network I just use the 192.168.5.0 >>>>>>>> 0.0.0.255. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Any thoughts or help would be appreciated. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Jeremy Furr >>>>>>>> >>>>>>>> [email protected] <mailto:[email protected]> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> -- >> >> // Freedom Matters >> // Follow my progress on: http://kpjungle.wordpress.com >> >> >> No virus found in this incoming message. >> Checked by AVG - www.avg.com >> Version: 8.5.339 / Virus Database: 270.12.43/2139 - Release Date: 06/08/09 >> 06:01:00 >> >> >>
