Hi Tyson, can't see your attachment PDF , i guess i just have to grab it from ipexpert.com site
Cheers Antonio -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kim Pedersen Sent: Tuesday, 9 June 2009 5:38 PM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_RS] ACL Wildcards Thanks all of you for your huge help in this matter. Tyson, great job with the PDF. Sincerely, Kim Tyson Scott wrote: > > I have written a quick document that I have put into PDF for the rules > I follow for ACL Wildcards. I am not sure if I can attach on this list > or not. If the PDF is not attached to this email let me know and I > will post the PDF to the config section of R&S Customers in ipexpert.com > > Regards, > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] <mailto:[email protected]> > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S > Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and > CCIE Storage Lab Certifications. > > *From:* [email protected] > [mailto:[email protected]] *On Behalf Of *Larry Hadrava > *Sent:* Monday, June 08, 2009 8:45 PM > *To:* Kim Pedersen > *Cc:* <[email protected]> > *Subject:* Re: [OSL | CCIE_RS] ACL Wildcards > > Another thing to think about "creatively" while trying to follow the > least amount of lines scenarios ( or any as far as that goes ) is to > never rule out your first line in an ACL to be a deny statement. > > I personally always write them out in binary. Do this enough times > then you will begin to think in binary and then you will be assimilated:-) > > Larry Hadrava > CCIE #12203 CCNP CCNA > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > > On Mon, Jun 8, 2009 at 4:36 PM, Kim Pedersen <[email protected] > <mailto:[email protected]>> wrote: > > How would you go about this? > > Kim > > Sent from my iPhone > > On 08/06/2009, at 21.35, "Rob" <[email protected] > <mailto:[email protected]>> wrote: > > Kim, > > One thing that has helped me understand it is to do it in reverse. Instead > of getting say 64 address and trying to convert them to one or more, I > start > with an answer I want and work my way backwards. > > I always start with the Binary answer when I do some of these problems. > > Once I could work them from both directions it made it easy to understand > them. > > Rob > > -----Original Message----- > From: [email protected] > <mailto:[email protected]> > [mailto:[email protected] > <mailto:[email protected]>] On Behalf Of Kim Pedersen > Sent: Monday, June 08, 2009 2:04 PM > To: Joe Astorino > Cc: [email protected] <mailto:[email protected]> > Subject: Re: [OSL | CCIE_RS] ACL Wildcards > > Will do :) > > Im assuming its one of the things you go through in the Bootcamps as well? > > Kim > > Joe Astorino wrote: > > If you have any specific issues let us know, we'll do our best to make it > > as > > clear as possible for you! > > > Regards, > > Joe Astorino > CCIE #24347 (R&S) > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com <http://www.ipexpert.com/> > > -----Original Message----- > From: Kim Pedersen [mailto:[email protected] <mailto:[email protected]>] > Sent: Monday, June 08, 2009 2:52 PM > To: Joe Astorino > Cc: 'Tyson Scott'; [email protected] > <mailto:[email protected]> > Subject: Re: [OSL | CCIE_RS] ACL Wildcards > > Hi, > > Okay, hope when i hit the workbooks something gets clearer on what > > exactly > > to go through :) > > Sincerely, > Kim > > Joe Astorino wrote: > > Yeah, you are right there is no "absolute" way like most things in > this business. 2 lines is just an easy example to show the idea...I > agree it becomes much more confusing with more. Writing things out > always helps me to see the big picture clearer. When you write a line > for an ACL think through in your head "OK what EXACT range of > addresses does this permit/deny" > > > Regards, > > Joe Astorino > CCIE #24347 (R&S) > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com <http://www.ipexpert.com/> > > -----Original Message----- > From: Kim Pedersen [mailto:[email protected] <mailto:[email protected]>] > Sent: Monday, June 08, 2009 2:46 PM > To: Joe Astorino > Cc: 'Tyson Scott'; [email protected] > <mailto:[email protected]> > Subject: Re: [OSL | CCIE_RS] ACL Wildcards > > Hi Joe, > > Yeah, i can see that working with 2 lines, but how about more? :) > and the VOD said it was not an absolute way... > Phew.. confusing. > > Sincerely, > Kim > > Joe Astorino wrote: > > Once you do enough of them, you will find your own patterns and ways, > but if you use simple subtraction and look for the difference to be a > power of 2 that really helps! For instance in the first octet if you > have say 192 and 200 ... 200 - 192 = 8 = 2^3 ...so you know you can > match them both with 1 bit in the "8" place. > > > Regards, > > Joe Astorino > CCIE #24347 (R&S) > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com <http://www.ipexpert.com/> > > -----Original Message----- > From: [email protected] > <mailto:[email protected]> > [mailto:[email protected] > <mailto:[email protected]>] On Behalf Of Kim > Pedersen > Sent: Monday, June 08, 2009 2:27 PM > To: Tyson Scott > Cc: [email protected] <mailto:[email protected]> > Subject: Re: [OSL | CCIE_RS] ACL Wildcards > > Thanks for all of your help... > > When you guys do it, do you start by writing it all out in binary, > or make an educated guess on what groups together? and it is best to > start with the first octet and going forward, or the last going > > backwards? > > Again, Thanks! > > Sincerely, > Kim Pedersen > > Tyson Scott wrote: > > > Yes Correct Kim, > > 194 and 193 can defiantly be matched in one line if all the rest > were the same. In your example none of those could be combined into > one line without matching additional networks. > > Regards, > > Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - > IPexpert, Inc. > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] <mailto:[email protected]> > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities > <http://www.ipexpert.com/communities> > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video > On Demand and Audio Certification Training Tools for the Cisco CCIE > R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice > Lab and CCIE Storage Lab Certifications. > > > -----Original Message----- > From: Kim Pedersen [mailto:[email protected] > <mailto:[email protected]>] > Sent: Monday, June 08, 2009 2:02 PM > To: Tyson Scott > Cc: 'Bryan Bartik'; [email protected] > <mailto:[email protected]> > Subject: Re: [OSL | CCIE_RS] ACL Wildcards > > Hi Tyson, > > In my example, those 4 bits are just in the first octet alone. So > im assuming we really need to treat the entire address, and not just > by > > > octet? > > > So there's no "set-in-stone" rules to go by, you just sort of have > to group them, see if that matches and go from there? > > Finally, in my example, if i add the 193 prefix, I would have 6 > bits of difference, so the closest i could do in one line is by > matching 64 nets, and this would give an indication on whether i > need to narrow it > > > down? > > > Sincerely, > Kim > > Tyson Scott wrote: > > > > Kim > > When it has a large amount of differences you need to find > similarities between them to put them together > > 194 is 11000010 > 174 is 10101110 > > This is 4 bit differences so you would have to have 16 entries to > match > > > > them > > > > as one line without matching additional subnets > > It is important to also note if they say to not match any > additional networks or if they just say to combine them to as few > lines without specifying that you can't match additional networks as > > well. > > Regards, > > Tyson Scott - CCIE #13513 R&S and Security Technical > Instructor - > IPexpert, Inc. > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] <mailto:[email protected]> > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities > <http://www.ipexpert.com/communities> > > IPexpert - The Global Leader in Self-Study, > Classroom-Based, Video > On > > > > Demand > > > > and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and > CCIE Storage Lab Certifications. > > > -----Original Message----- > From: [email protected] > <mailto:[email protected]> > [mailto:[email protected] > <mailto:[email protected]>] On Behalf Of Kim > Pedersen > Sent: Monday, June 08, 2009 11:28 AM > To: Bryan Bartik > Cc: [email protected] > <mailto:[email protected]> > Subject: Re: [OSL | CCIE_RS] ACL Wildcards > > Hi Bryan, > > I guess I didnt point out the problem (sounds soo serious :) ), > but what if the question states: "make these into as few > entries as > possible", and they are soo different that it might not end up in > one entry (again, with difference in multiple octets). > > For example (no logic behind choosing these): > 194.64.0.96/27 <http://194.64.0.96/27> > 174.34.87.64/26 <http://174.34.87.64/26> > 193.23.10.8/30 <http://193.23.10.8/30> > ... > Next, imagine 32 addresses just like this :) > > How do you go about breaking all of this down? > > Sincerely, > Kim Pedersen > > Bryan Bartik wrote: > > > > > Kim, even if there is more than one octet you still can look at > the number of bits that are different. Example: > > 192.168.0.0 > 192.168.0.1 > 192.168.1.0 > 192.168.1.1 > > The above addresses have 2 bits (bit 0 in the 3rd and 4th octets) > that differ and we can combine them in one ACL. > > 3rd and 4th octets: > 0000 0000 | 0000 0000 > 0000 0000 | 0000 0001 > 0000 0001 | 0000 0000 > 0000 0001 | 0000 0001 > > 0000 0000 | 0000 0000 AND > 0000 0001 | 0000 0001 XOR > > 192.168.0.0 0.0.1.1 would be the ACL entry. > > -hth > > Bryan Bartik > CCIE #23707 (R&S), CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com <http://www.ipexpert.com/> > > On Mon, Jun 8, 2009 at 7:47 AM, Rodriguez, Jorge > <[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> wrote: > > Jeremy this should help you in doing the calculating wildcard > mask > > > > http://www.internetworkexpert.com/resources/01700370.htm > > > > > > > > > http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-com > p > l > ex-wil > > > > dcard-masks-for-access-lists/ > > > > > > > Rgds > > Jorge > > > > *From:* [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > [mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>] *On Behalf Of > *JEREMY FURR (RIT Student) > *Sent:* Friday, June 05, 2009 10:12 AM > *To:* [email protected] > <mailto:[email protected]> > > > > <mailto:[email protected] > <mailto:[email protected]>> > > > > *Subject:* [OSL | CCIE_RS] ACL Wildcards > > > > Does anyone know of a website or book that explains well > how ACL > wildcards work? I have been trying to filter out four > blocks from > a bunch of route advertisments but just can't get the three I > > want > > through, this is what I have R2 is originating > 192.168.2.0/24 <http://192.168.2.0/24> > <http://192.168.2.0/24> through 192.168.15.0/24 > <http://192.168.15.0/24> > <http://192.168.15.0/24> in RIP to R1. I want to > only accept > blocks 192.168.5.0, 192.168.10.0, 192.168.13.0 and > 192.168.14.0 > > > > If I use acl with 192.168.10.0 0.0.4.0, I will get > 10 and 14 but > not thirteen. For the 5 network I just use the > 192.168.5.0 > 0.0.0.255. > > > > Any thoughts or help would be appreciated. > > > > Jeremy Furr > > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > > > > -- > > > > > > > > > > > > > > > > -- > > // Freedom Matters > // Follow my progress on: http://kpjungle.wordpress.com > <http://kpjungle.wordpress.com/> > > > No virus found in this incoming message. > Checked by AVG - www.avg.com <http://www.avg.com/> > Version: 8.5.339 / Virus Database: 270.12.43/2139 - Release Date: 06/08/09 > 06:01:00 > -- // Freedom Matters // Follow my progress on: http://kpjungle.wordpress.com
