Cool stuff Steve, Much obliged all! On Jun 2, 2011, at 12:52 AM, Di Bias, Steve wrote:
> Excellent post Adam! > > I used to be stuck in that wildcard mask equals inverted mask paradigm myself! > > Once you start getting the hang of it it's like riding a bike! I like to > break everything out into binary in order to calculate the wildcard masks, it > makes it much easier. > > Expanding on what Adam posted you can do some very interesting things with > wildcard masks. For example we may be asked to match only even or odd numbers > in the second octet of an access list for certain networks (102.X) > > Basically a 0 in the IP will be even and a 1 in the IP will be odd > > 128|64|32|16|8|4|2|1 > > 102.00000001 = 102.1 - odd > 102.00000011 = 102.3 - odd > 102.00000101 = 102.5 - odd > 102.00000010 = 102.2 - even > 102.00000100 = 102.4 - even > 102.00000110 = 102.6 - even > > For evens in the 2nd octet -- access-list 22 permit 102.0.0.0 0.254.0.0 > > For odds in the 2nd octet -- access-list 22 permit 102.1.0.0 0.254.0.0 > > We could take this a step further if we were asked to create an ACL matching > two different IP addresses in a single line (5.10.15.20 and 20.15.10.5) > > To do this we write them out in binary and perform AND/OR logic against them. > With the AND logic we find the similarities and with the OR logic we find the > differences. So AND for network and OR for wildcard > > 5.10.15.20 = 00000101.00001010.00001111.00010100 > 20.15.10.5 = 00010100.00001111.00001010.00000101 > > AND > > 00000101.00001010.00001111.00010100 > 00010100.00001111.00001010.00000101 > -------------------------------------- > 00000100.00001010.00001010.00000100 = 4.10.10.4 > > XOR > > 00000101.00001010.00001111.00010100 > 00010100.00001111.00001010.00000101 > -------------------------------------- > 00010001.00000101.00000101.00010001 = 17.5.5.17 > > > So the end result could be something like "access-list 10 deny 4.10.10.4 > 17.5.5.17" > > Of course we will be matching on more then just these two hosts, however it > just demonstrated to show the power of this stuff. > > I also sent you some other links in a unicast. > > HTH > > Thank you, > > Steve Di Bias > Network Engineer - Information Systems > Valley Health System - Las Vegas > Office - 702- 369-7594 > Cell - 702-241-1801 > [email protected] > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Adam Booth > Sent: Wednesday, June 01, 2011 3:47 PM > To: Alef > Cc: [email protected] IE > Subject: Re: [OSL | CCIE_RS] wildcard masks > > Hi Alef, > > Which part is getting you confused? > > One of the most important things to be aware of is that a wildcard mask is > not just an inverted network mask. > > A rule regarding netmasks is that when looking at it as a binary sequence it > has to be a bunch of consecutive 1s and 0s, as soon as the first 0 appears, > the following digits must continue to be 0 > > For a wild card mask, the above concept does not apply, 1s and 0s can be in > any order. The binary sequence of the wild card mask has a meaning that a > 0 means, the value of this bit much match, where a 1 means, I don't care > what the source value is and is therefore an implied match. > > To give a simple example, say you are in OSPF and have an interface > 192.168.1.1/24 that you wish to enable. > > You could be most specific and do > > router ospf 1 > network 192.168.1.1 0.0.0.0 area 0 > > or more general and do > > router ospf 1 > network 192.168.1.0 0.0.0.255 area 0 > > I guess you could just go directly to the interface and do "ip ospf 1 area > 0" but that kind of sidelines the use case here, so lets ignore that for the > time being :) > > in both cases OSPF would be enabled for the interface, however if you wanted > to have the most direct control, specifying the complete address and using > an exact wildcard mask ensures that only that interface gets activated. For > example if I renumbered the interface on 192.168.1.1/24 to > 192.168.1.111/24in the first case OSPF would be disabled for the > interface and the later it > would not since the IP still matches the wildcard mask. > > There are also interesting things you can do with ACLs to match multiple > non-consecutive IP addresses by use of an interesting wildcard mask, these > rely on a base IP address and a wildcard string that relies on must > match/don't care values for the binary string. > > Is that of any help? > > Cheers, > Adam > > > On Thu, Jun 2, 2011 at 7:22 AM, Alef <[email protected]> wrote: > >> Does anyone have any recommendations for a good tutorial on wildcard masks? >> I know the one on the ipexpert site, i'm afraid i need some more material to >> digest if possible ;-) >> i'm somewhere in between getting it and not getting it i think >> thanks, >> alef >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > UHS Confidentiality Notice: This e-mail message, including any attachments, > is for the sole use of the intended recipient (s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution of this information is prohibited. If this was > sent to you in error, please notify the sender by reply e-mail and destroy > all copies of the original message. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
