Re: Darth Reid R1 Access-list [7:58644]
You are assuming that I (and others in this discussion) do not know how to figure out wild card masks, which is not the focus of the question. Please, take a step back and really try to listen. I appreciate your opinion and I am very grateful that you are taking the time help. But, you are not really listening. Does Cisco want the smallest ACL or a practical answer to this question? I do not want to be in the Lab with a question like this and attack it with the wrong perspective. In addition, I made an attempt to "figure it out" on my own -Yes, I did use the BOSON to check my answer - nothing wrong with that. I asked the question to invite a technical discussion to attack the question as a "Team". The level of experience among members of the discussion group is irrelevant to me. I just wanted a serious attempt to answer the question and not to be talk down too. Just to let you know I have failed the CCIE lab exam twice and I do not want to fail it again (like I can control that, though). I have my own opinion as to how Cisco wants the question answered, but I would like to hear from other experts, like yourself, in order to stay on track - call it a sanity check. In this way I can compare notes and make the best decision in order to be prepared for the next lab attempt. Anyway, working together, we should be able to tackle this - thanks Ted P.S. What's confusing to me is how Cisco's answer is not very practical. When working on routing protocols, the rules cannot be half-a**ed . But, this question is very misleading - at least from a practical viewpoint. I mean, suppose you get answer that is two ACL lines in size, but it blocks even more networks than the answer above. One could argue that it is also correct - just a bit more general than Cisco's answer. Seems too subjective to me. If that is the way it is - oh well. Any comments? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59299&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Darth Reid R1 Access-list [7:58644]
""Ted Marinich"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Josh, > > No I never have. frp is a typo - should be FTP. CL: I believe I gave a good pointer and a good start in my earlier reply. > > access-list 101 deny tcp host 135.152.1.1 eq ftp any > access-list 101 deny tcp host 135.152.1.1 eq http any > access-list 101 deny tcp 131.24.194.0 0.1.1.255 eq ftp any > access-list 101 deny tcp 131.24.194.0 0.1.1.255 eq http any > access-list 101 deny tcp 131.24.193.0 0.1.0.255 eq ftp any > access-list 101 deny tcp 131.24.193.0 0.1.0.255 eq http any > access-list 102 permit tcp any any > > Also, "access-list 102 permit tcp any any" should be "access-list 101 permit > tcp any any" > > Sorry, for the confusion. Cisco's focus seems to be centered on the ACL > size. I am focused on a practical solution. I want clearification so I know > what to practise for. CL: consider the possibility that the Cisco answer in your study source is wrong. CL: at the risk of being considered a jerk, I believe I demonstrated how to figure this stuff out in an earlier reply - write it out in binary and determine your "care" and "don't care" bits. I believe by my demonstration I determined that for the first octet, at least, the Cisco answer was not correct, and I showed what the correct answer was, for the first octet. I left it to you to do the rest. CL: Cisco's focus, based on what you have presented, is to determine whether or not you know how the masks work when filtering addresses. Look - you took the first step. You went to B--O--S--O--N and used their wildcard mask calculator to discover that the Cisco answer permitted more networks than required. So you know how to use the tool. But you have to take the next step yourself. CL: sorry to be acting righteous here, but when you're sitting in a Cisco test, be it CCNA or CCIE Lab, and all you have is a pencil and paper, there is only one way to do it. Believe me, proper wildcard masking comes up everywhere. whether you are doing opsf network masks, eigrp network masks ( neat feature! ) distibute-lists, route-maps, or whatever. > > Cisco's answer is: > > access-list 102 deny tcp 129.24.192.0 102.129.7.1 eq http any > access-list 102 deny tcp 129.24.192.0 102.129.7.1 eq ftp any > access-list 102 permit tcp any any Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59268&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Darth Reid R1 Access-list [7:58644]
Josh, No I never have. frp is a typo - should be FTP. access-list 101 deny tcp host 135.152.1.1 eq ftp any access-list 101 deny tcp host 135.152.1.1 eq http any access-list 101 deny tcp 131.24.194.0 0.1.1.255 eq ftp any access-list 101 deny tcp 131.24.194.0 0.1.1.255 eq http any access-list 101 deny tcp 131.24.193.0 0.1.0.255 eq ftp any access-list 101 deny tcp 131.24.193.0 0.1.0.255 eq http any access-list 102 permit tcp any any Also, "access-list 102 permit tcp any any" should be "access-list 101 permit tcp any any" Sorry, for the confusion. Cisco's focus seems to be centered on the ACL size. I am focused on a practical solution. I want clearification so I know what to practise for. Cisco's answer is: access-list 102 deny tcp 129.24.192.0 102.129.7.1 eq http any access-list 102 deny tcp 129.24.192.0 102.129.7.1 eq ftp any access-list 102 permit tcp any any Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59260&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Darth Reid R1 Access-list [7:58644]
Ted, Did you ever get any feedback on this? I have never heard of the frp keyword in an access-list command. Josh -Original Message- From: Ted Marinich [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 07, 2002 5:47 PM To: [EMAIL PROTECTED] Subject: Re: Darth Reid R1 Access-list [7:58644] OK, The question is deny FTP and HTTP for these addresses: 131.24.194.x, 131.25.194.x, 135.152.1.1, 131.24.195.x, 131.24.193.x Use least amount of lines in your ACL. To match EXACTLY what the question asks with the minimum ACL, I come up with this: access-list 101 deny tcp host 135.152.1.1 eq ftp any access-list 101 deny tcp host 135.152.1.1 eq http any access-list 101 deny tcp 131.24.194.0 0.1.1.255 eq ftp any access-list 101 deny tcp 131.24.194.0 0.1.1.255 eq http any access-list 101 deny tcp 131.24.193.0 0.1.0.255 eq ftp any access-list 101 deny tcp 131.24.193.0 0.1.0.255 eq http any access-list 102 permit tcp any any Cisco's answer is: access-list 102 deny tcp 129.24.192.0 102.129.7.1 eq frp any access-list 102 deny tcp 129.24.192.0 102.129.7.1 eq frp any access-list 102 permit tcp any any Cisco's answer the first Octet Match these IPs 129, 131, 133, 135, 161, 163, 165, 167, 193, 195, 197, 199, 225, 227, 229, 231 So, address 161.24.194.1 will be denied as well, which is not one of the requirements. My question is when taking the lab, and asked a simlilar question, which answer is correct Hope this is not as muddy as my first question... Please correct me if I'm wrong - I no access-list expert. Just my attempt at it. :) Ted Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59257&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Darth Reid R1 Access-list [7:58644]
OK, The question is deny FTP and HTTP for these addresses: 131.24.194.x, 131.25.194.x, 135.152.1.1, 131.24.195.x, 131.24.193.x Use least amount of lines in your ACL. To match EXACTLY what the question asks with the minimum ACL, I come up with this: access-list 101 deny tcp host 135.152.1.1 eq ftp any access-list 101 deny tcp host 135.152.1.1 eq http any access-list 101 deny tcp 131.24.194.0 0.1.1.255 eq ftp any access-list 101 deny tcp 131.24.194.0 0.1.1.255 eq http any access-list 101 deny tcp 131.24.193.0 0.1.0.255 eq ftp any access-list 101 deny tcp 131.24.193.0 0.1.0.255 eq http any access-list 102 permit tcp any any Cisco's answer is: access-list 102 deny tcp 129.24.192.0 102.129.7.1 eq frp any access-list 102 deny tcp 129.24.192.0 102.129.7.1 eq frp any access-list 102 permit tcp any any Cisco's answer the first Octet Match these IPs 129, 131, 133, 135, 161, 163, 165, 167, 193, 195, 197, 199, 225, 227, 229, 231 So, address 161.24.194.1 will be denied as well, which is not one of the requirements. My question is when taking the lab, and asked a simlilar question, which answer is correct Hope this is not as muddy as my first question... Please correct me if I'm wrong - I no access-list expert. Just my attempt at it. :) Ted Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58752&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Darth Reid R1 Access-list [7:58644]
Actually he *did* answer it. Write it out in binary, it should be crystal clear. - Original Message - From: "Ted Marinich" To: Sent: Friday, December 06, 2002 7:00 PM Subject: Re: Darth Reid R1 Access-list [7:58644] > The Long and Winding Road: > > As you can see from my original post, the binary equivelents are represented > in decimal format one octet at a time. The question is - has anyone > approached this question froma a different angle to get a more realistic > answer. > > The first octet should allow 131 and 135 only, but as you can see it allows > 14 other octets!??? > > I thank you for your response, but you didn't answer the question. > > Want to try again? > > Ted > > P.S. Just want to compare notes with anyone who has attempted the question > and has an explaination for their answer. Cisco Press answer is one single > ACL, but I calculate a need for three in order to deny only those IPs in the > original question an no others. > > Thanks in advance... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58743&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Darth Reid R1 Access-list [7:58644]
""Ted Marinich"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > The Long and Winding Road: > > As you can see from my original post, the binary equivelents are represented > in decimal format one octet at a time. The question is - has anyone > approached this question froma a different angle to get a more realistic > answer. CL: OK. I wrote it out in binary. > > The first octet should allow 131 and 135 only, but as you can see it allows > 14 other octets!??? CL: not knowing your source, but looking at this sentence, you want some mask that permits only 131 and 135 in the octet? OK. 131 = 1000 0011 135 = 1000 0111 CL: a mask that permits only those two numbers would be? it should be fairly obvious, at this point. > > I thank you for your response, but you didn't answer the question. > > Want to try again? CL: I think I have given enough hints that you can figure out the methodology I would use. > > Ted > > P.S. Just want to compare notes with anyone who has attempted the question > and has an explaination for their answer. Cisco Press answer is one single > ACL, but I calculate a need for three in order to deny only those IPs in the > original question an no others. > > Thanks in advance... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58733&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Darth Reid R1 Access-list [7:58644]
The Long and Winding Road: As you can see from my original post, the binary equivelents are represented in decimal format one octet at a time. The question is - has anyone approached this question froma a different angle to get a more realistic answer. The first octet should allow 131 and 135 only, but as you can see it allows 14 other octets!??? I thank you for your response, but you didn't answer the question. Want to try again? Ted P.S. Just want to compare notes with anyone who has attempted the question and has an explaination for their answer. Cisco Press answer is one single ACL, but I calculate a need for three in order to deny only those IPs in the original question an no others. Thanks in advance... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58730&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Darth Reid R1 Access-list [7:58644]
Steve you BAD boy - where have you been? I still read your CCIE Lab prep advice, and it is posted on my web site as well ( www.chuckslongroad.info ) for all the good it does me ;-> ""Steve Dispensa"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Barring intentional obfusication, why would anyone actually use that > > > wildcard mask in an access list instead of a longer more readable > > > alternative? > > > > CL: since the publication of RFC 1812, the so called "whacky" wildcard > masks > > are not supported. In other words, for a router to be RFC1812 compliant, it > > should not permit you to enter masks that do not consist of cintiguous 1's > > and 0's/ > > Nothing in the rfc would prohibit using funny wildcard masks in an ACL. The > point of the contiguous-netmask restriction is to allow cidr to work. Slash > notation (e.g. /24) wouldn't make much sense if some of those 24 bits were > zeros. > > One might use an oddball wildcard mask for effeciency - the router wouldn't > have CL: I should have said subnet masks. seems to me, though, that Cisco has restricted wildcard masks in some places as well. > to match as many acl lines. Then again, it would only really matter on old > routers, > and it's operational suicide anyway since nobody will be able to work on > it. It > might also simplify configs in some places, but (IMHO) at a prohibitive cost > in > operational simplicity. > > You can contrive more cases (acls for debug ip packet, servers are all even > numbers, whatever...), but i don't think it ever makes sense to actually use > this. > > -sd Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58713&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Darth Reid R1 Access-list [7:58644]
> > Barring intentional obfusication, why would anyone actually use that > > wildcard mask in an access list instead of a longer more readable > > alternative? > > CL: since the publication of RFC 1812, the so called "whacky" wildcard masks > are not supported. In other words, for a router to be RFC1812 compliant, it > should not permit you to enter masks that do not consist of cintiguous 1's > and 0's/ Nothing in the rfc would prohibit using funny wildcard masks in an ACL. The point of the contiguous-netmask restriction is to allow cidr to work. Slash notation (e.g. /24) wouldn't make much sense if some of those 24 bits were zeros. One might use an oddball wildcard mask for effeciency - the router wouldn't have to match as many acl lines. Then again, it would only really matter on old routers, and it's operational suicide anyway since nobody will be able to work on it. It might also simplify configs in some places, but (IMHO) at a prohibitive cost in operational simplicity. You can contrive more cases (acls for debug ip packet, servers are all even numbers, whatever...), but i don't think it ever makes sense to actually use this. -sd Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58709&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Darth Reid R1 Access-list [7:58644]
""J.D. Chaiken"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Follup Question: > > Barring intentional obfusication, why would anyone actually use that > wildcard mask in an access list instead of a longer more readable > alternative? CL: since the publication of RFC 1812, the so called "whacky" wildcard masks are not supported. In other words, for a router to be RFC1812 compliant, it should not permit you to enter masks that do not consist of cintiguous 1's and 0's/ CL:it used to be that such masks were allowed. There used to be jokes and apocryphal stories of network admins who used such schemes as one means of assuring job security. CL: nowadays, they are an interesting study tool - as I said - writing it out in binary gives you a good feel for how masking works. > > Jarett > > > ""The Long and Winding Road"" wrote in > message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > write it out in binary and study it until you understand why it is or is > not > > correct. > > > > what - you expect someone else to do the work for you? how are you going > to > > learn? > > > > > > ""Ted Marinich"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Correct me if I'm wrong, but I can't see why this is the right answer. > > Does > > > anyone have a different answer to question VII -1??? > > > > > > It seems as though too many other networks are able to pass through > using > > > this answer - can't be right. > > > > > > I grabed the "answer" from cisco's web via the URL found in the > Practical > > > Studies book. > > > > > > Ted > > > > > > www.Boson.com Wildcard mask checker > > > > > > IP Address:129.24.192.0 > > > Wildcard mask: 102.129.7.1 > > > > > > First Octet Match(es) > > > 129 > > > 131 > > > 133 > > > 135 > > > 161 > > > 163 > > > 165 > > > 167 > > > 193 > > > 195 > > > 197 > > > 199 > > > 225 > > > 227 > > > 229 > > > 231 > > > > > > Second Octet Match(es) > > > 24- 25 > > > 152- 153 > > > > > > Third Octet Match(es) > > > 192- 199 > > > > > > Fourth Octet Match(es) > > > 0- 1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58698&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Darth Reid R1 Access-list [7:58644]
Follup Question: Barring intentional obfusication, why would anyone actually use that wildcard mask in an access list instead of a longer more readable alternative? Jarett ""The Long and Winding Road"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > write it out in binary and study it until you understand why it is or is not > correct. > > what - you expect someone else to do the work for you? how are you going to > learn? > > > ""Ted Marinich"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Correct me if I'm wrong, but I can't see why this is the right answer. > Does > > anyone have a different answer to question VII -1??? > > > > It seems as though too many other networks are able to pass through using > > this answer - can't be right. > > > > I grabed the "answer" from cisco's web via the URL found in the Practical > > Studies book. > > > > Ted > > > > www.Boson.com Wildcard mask checker > > > > IP Address:129.24.192.0 > > Wildcard mask: 102.129.7.1 > > > > First Octet Match(es) > > 129 > > 131 > > 133 > > 135 > > 161 > > 163 > > 165 > > 167 > > 193 > > 195 > > 197 > > 199 > > 225 > > 227 > > 229 > > 231 > > > > Second Octet Match(es) > > 24- 25 > > 152- 153 > > > > Third Octet Match(es) > > 192- 199 > > > > Fourth Octet Match(es) > > 0- 1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58687&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Darth Reid R1 Access-list [7:58644]
write it out in binary and study it until you understand why it is or is not correct. what - you expect someone else to do the work for you? how are you going to learn? ""Ted Marinich"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Correct me if I'm wrong, but I can't see why this is the right answer. Does > anyone have a different answer to question VII -1??? > > It seems as though too many other networks are able to pass through using > this answer - can't be right. > > I grabed the "answer" from cisco's web via the URL found in the Practical > Studies book. > > Ted > > www.Boson.com Wildcard mask checker > > IP Address:129.24.192.0 > Wildcard mask: 102.129.7.1 > > First Octet Match(es) > 129 > 131 > 133 > 135 > 161 > 163 > 165 > 167 > 193 > 195 > 197 > 199 > 225 > 227 > 229 > 231 > > Second Octet Match(es) > 24- 25 > 152- 153 > > Third Octet Match(es) > 192- 199 > > Fourth Octet Match(es) > 0- 1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58686&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Darth Reid R1 Access-list [7:58644]
Correct me if I'm wrong, but I can't see why this is the right answer. Does anyone have a different answer to question VII -1??? It seems as though too many other networks are able to pass through using this answer - can't be right. I grabed the "answer" from cisco's web via the URL found in the Practical Studies book. Ted www.Boson.com Wildcard mask checker IP Address:129.24.192.0 Wildcard mask: 102.129.7.1 First Octet Match(es) 129 131 133 135 161 163 165 167 193 195 197 199 225 227 229 231 Second Octet Match(es) 24- 25 152- 153 Third Octet Match(es) 192- 199 Fourth Octet Match(es) 0- 1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58644&t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]