I have written a quick document that I have put into PDF for the rules
I follow for ACL Wildcards. I am not sure if I can attach on this list
or not. If the PDF is not attached to this email let me know and I
will post the PDF to the config section of R&S Customers in ipexpert.com
Regards,
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: [email protected] <mailto:[email protected]>
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On
Demand and Audio Certification Training Tools for the Cisco CCIE R&S
Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and
CCIE Storage Lab Certifications.
*From:* [email protected]
[mailto:[email protected]] *On Behalf Of *Larry Hadrava
*Sent:* Monday, June 08, 2009 8:45 PM
*To:* Kim Pedersen
*Cc:* <[email protected]>
*Subject:* Re: [OSL | CCIE_RS] ACL Wildcards
Another thing to think about "creatively" while trying to follow the
least amount of lines scenarios ( or any as far as that goes ) is to
never rule out your first line in an ACL to be a deny statement.
I personally always write them out in binary. Do this enough times
then you will begin to think in binary and then you will be assimilated:-)
Larry Hadrava
CCIE #12203 CCNP CCNA
Sr. Support Engineer – IPexpert, Inc.
URL: http://www.IPexpert.com
On Mon, Jun 8, 2009 at 4:36 PM, Kim Pedersen <[email protected]
<mailto:[email protected]>> wrote:
How would you go about this?
Kim
Sent from my iPhone
On 08/06/2009, at 21.35, "Rob" <[email protected]
<mailto:[email protected]>> wrote:
Kim,
One thing that has helped me understand it is to do it in reverse. Instead
of getting say 64 address and trying to convert them to one or more, I
start
with an answer I want and work my way backwards.
I always start with the Binary answer when I do some of these problems.
Once I could work them from both directions it made it easy to understand
them.
Rob
-----Original Message-----
From: [email protected]
<mailto:[email protected]>
[mailto:[email protected]
<mailto:[email protected]>] On Behalf Of Kim Pedersen
Sent: Monday, June 08, 2009 2:04 PM
To: Joe Astorino
Cc: [email protected] <mailto:[email protected]>
Subject: Re: [OSL | CCIE_RS] ACL Wildcards
Will do :)
Im assuming its one of the things you go through in the Bootcamps as well?
Kim
Joe Astorino wrote:
If you have any specific issues let us know, we'll do our best to make it
as
clear as possible for you!
Regards,
Joe Astorino
CCIE #24347 (R&S)
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com <http://www.ipexpert.com/>
-----Original Message-----
From: Kim Pedersen [mailto:[email protected] <mailto:[email protected]>]
Sent: Monday, June 08, 2009 2:52 PM
To: Joe Astorino
Cc: 'Tyson Scott'; [email protected]
<mailto:[email protected]>
Subject: Re: [OSL | CCIE_RS] ACL Wildcards
Hi,
Okay, hope when i hit the workbooks something gets clearer on what
exactly
to go through :)
Sincerely,
Kim
Joe Astorino wrote:
Yeah, you are right there is no "absolute" way like most things in
this business. 2 lines is just an easy example to show the idea...I
agree it becomes much more confusing with more. Writing things out
always helps me to see the big picture clearer. When you write a line
for an ACL think through in your head "OK what EXACT range of
addresses does this permit/deny"
Regards,
Joe Astorino
CCIE #24347 (R&S)
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com <http://www.ipexpert.com/>
-----Original Message-----
From: Kim Pedersen [mailto:[email protected] <mailto:[email protected]>]
Sent: Monday, June 08, 2009 2:46 PM
To: Joe Astorino
Cc: 'Tyson Scott'; [email protected]
<mailto:[email protected]>
Subject: Re: [OSL | CCIE_RS] ACL Wildcards
Hi Joe,
Yeah, i can see that working with 2 lines, but how about more? :)
and the VOD said it was not an absolute way...
Phew.. confusing.
Sincerely,
Kim
Joe Astorino wrote:
Once you do enough of them, you will find your own patterns and ways,
but if you use simple subtraction and look for the difference to be a
power of 2 that really helps! For instance in the first octet if you
have say 192 and 200 ... 200 - 192 = 8 = 2^3 ...so you know you can
match them both with 1 bit in the "8" place.
Regards,
Joe Astorino
CCIE #24347 (R&S)
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com <http://www.ipexpert.com/>
-----Original Message-----
From: [email protected]
<mailto:[email protected]>
[mailto:[email protected]
<mailto:[email protected]>] On Behalf Of Kim
Pedersen
Sent: Monday, June 08, 2009 2:27 PM
To: Tyson Scott
Cc: [email protected] <mailto:[email protected]>
Subject: Re: [OSL | CCIE_RS] ACL Wildcards
Thanks for all of your help...
When you guys do it, do you start by writing it all out in binary,
or make an educated guess on what groups together? and it is best to
start with the first octet and going forward, or the last going
backwards?
Again, Thanks!
Sincerely,
Kim Pedersen
Tyson Scott wrote:
Yes Correct Kim,
194 and 193 can defiantly be matched in one line if all the rest
were the same. In your example none of those could be combined into
one line without matching additional networks.
Regards,
Tyson Scott - CCIE #13513 R&S and Security Technical Instructor -
IPexpert, Inc.
Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: [email protected] <mailto:[email protected]>
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
<http://www.ipexpert.com/communities>
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video
On Demand and Audio Certification Training Tools for the Cisco CCIE
R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice
Lab and CCIE Storage Lab Certifications.
-----Original Message-----
From: Kim Pedersen [mailto:[email protected]
<mailto:[email protected]>]
Sent: Monday, June 08, 2009 2:02 PM
To: Tyson Scott
Cc: 'Bryan Bartik'; [email protected]
<mailto:[email protected]>
Subject: Re: [OSL | CCIE_RS] ACL Wildcards
Hi Tyson,
In my example, those 4 bits are just in the first octet alone. So
im assuming we really need to treat the entire address, and not just
by
octet?
So there's no "set-in-stone" rules to go by, you just sort of have
to group them, see if that matches and go from there?
Finally, in my example, if i add the 193 prefix, I would have 6
bits of difference, so the closest i could do in one line is by
matching 64 nets, and this would give an indication on whether i
need to narrow it
down?
Sincerely,
Kim
Tyson Scott wrote:
Kim
When it has a large amount of differences you need to find
similarities between them to put them together
194 is 11000010
174 is 10101110
This is 4 bit differences so you would have to have 16 entries to
match
them
as one line without matching additional subnets
It is important to also note if they say to not match any
additional networks or if they just say to combine them to as few
lines without specifying that you can't match additional networks as
well.
Regards,
Tyson Scott - CCIE #13513 R&S and Security Technical
Instructor -
IPexpert, Inc.
Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: [email protected] <mailto:[email protected]>
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
<http://www.ipexpert.com/communities>
IPexpert - The Global Leader in Self-Study,
Classroom-Based, Video
On
Demand
and Audio Certification Training Tools for the Cisco CCIE R&S Lab,
CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and
CCIE Storage Lab Certifications.
-----Original Message-----
From: [email protected]
<mailto:[email protected]>
[mailto:[email protected]
<mailto:[email protected]>] On Behalf Of Kim
Pedersen
Sent: Monday, June 08, 2009 11:28 AM
To: Bryan Bartik
Cc: [email protected]
<mailto:[email protected]>
Subject: Re: [OSL | CCIE_RS] ACL Wildcards
Hi Bryan,
I guess I didnt point out the problem (sounds soo serious :) ),
but what if the question states: "make these into as few
entries as
possible", and they are soo different that it might not end up in
one entry (again, with difference in multiple octets).
For example (no logic behind choosing these):
194.64.0.96/27 <http://194.64.0.96/27>
174.34.87.64/26 <http://174.34.87.64/26>
193.23.10.8/30 <http://193.23.10.8/30>
...
Next, imagine 32 addresses just like this :)
How do you go about breaking all of this down?
Sincerely,
Kim Pedersen
Bryan Bartik wrote:
Kim, even if there is more than one octet you still can look at
the number of bits that are different. Example:
192.168.0.0
192.168.0.1
192.168.1.0
192.168.1.1
The above addresses have 2 bits (bit 0 in the 3rd and 4th octets)
that differ and we can combine them in one ACL.
3rd and 4th octets:
0000 0000 | 0000 0000
0000 0000 | 0000 0001
0000 0001 | 0000 0000
0000 0001 | 0000 0001
0000 0000 | 0000 0000 AND
0000 0001 | 0000 0001 XOR
192.168.0.0 0.0.1.1 would be the ACL entry.
-hth
Bryan Bartik
CCIE #23707 (R&S), CCNP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com <http://www.ipexpert.com/>
On Mon, Jun 8, 2009 at 7:47 AM, Rodriguez, Jorge
<[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>> wrote:
Jeremy this should help you in doing the calculating wildcard
mask
http://www.internetworkexpert.com/resources/01700370.htm
http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-com
p
l
ex-wil
dcard-masks-for-access-lists/
Rgds
Jorge
*From:* [email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
[mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>] *On Behalf Of
*JEREMY FURR (RIT Student)
*Sent:* Friday, June 05, 2009 10:12 AM
*To:* [email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
*Subject:* [OSL | CCIE_RS] ACL Wildcards
Does anyone know of a website or book that explains well
how ACL
wildcards work? I have been trying to filter out four
blocks from
a bunch of route advertisments but just can't get the three I
want
through, this is what I have R2 is originating
192.168.2.0/24 <http://192.168.2.0/24>
<http://192.168.2.0/24> through 192.168.15.0/24
<http://192.168.15.0/24>
<http://192.168.15.0/24> in RIP to R1. I want to
only accept
blocks 192.168.5.0, 192.168.10.0, 192.168.13.0 and
192.168.14.0
If I use acl with 192.168.10.0 0.0.4.0, I will get
10 and 14 but
not thirteen. For the 5 network I just use the
192.168.5.0
0.0.0.255.
Any thoughts or help would be appreciated.
Jeremy Furr
[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
--
--
// Freedom Matters
// Follow my progress on: http://kpjungle.wordpress.com
<http://kpjungle.wordpress.com/>
No virus found in this incoming message.
Checked by AVG - www.avg.com <http://www.avg.com/>
Version: 8.5.339 / Virus Database: 270.12.43/2139 - Release Date: 06/08/09
06:01:00
