RE: Why use wildcard mask [7:30473]
I think a major motivation of a lot of "silent lurkers" (like myself) and those who actively participate on this list is to benefit from the comments of such great industry stalwarts such as Howard Berkowitz, Priscilla Oppenheimer, Pamela Forsyth, etc, etc,. They always enrich their comments with their experience, and Howard Berkowitz also adds spice to it with his wit and humour. I have read almost all his books and would recommend them to everyone seeking in-depth knowledge of networks. I think he has got a unique flair for writing. It would be a sad day for me if someone drives them off this list with their uncouth comments. I would also name some more persons such as Chuck Larrieu, Elijah Savage, Brad Ellis, Kent Hundley, Keyur Shah, etc (and the list goes on ) whose insights from real hands-on experiences, coupled with their marvellous ability to explain things, has greatly benefitted this list. I wish everyone a Happy New Year and greater opportunities in the years ahead. Aziz S. Islam Sr. Infrastructure Splst.- CCIE(R/S) Design Engineering EDS Canada Inc. 33 Yonge Street, Suite 400 Toronto, Ontario M3A 2R6 CANADA Ph:(416)814-1696 Fx:(416)814-1821 http://www.eds.com mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, December 31, 2001 9:12 AM To: [EMAIL PROTECTED] Subject: Re: Why use wildcard mask [7:30473] Speaking only for myself, I look forward to your wit and wisdom when providing us wannabees with the knowledge we so desperately seek. While you're at it, can you provide us with a list of the RFC's you have written? And the books? I'd like to check them out. Anything to improve my own understanding of how things work. Best wishes, Chuck ""Cisco Cisco"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Howard, > If you actually worked on a router in the real world > rather than just tell people you do, you would know > that Cisco has supported access-list remarks for some > time now. > > Oh I'm sure you're going to reply to this e-mail with > some stupid story like, "This reminds me when I was > talking to a developer at Apple about Mac OS 1.0 but I > had never really worked on an Apple" or some worthless > story like that. > > Also do us all a favor and quit cross posting from > other mailing list. We don't want to see your replies > to the juniper and ccie mailing list posts. Cross > posting can be dangerous when you're on some of the > list the you are on wink, wink ;-) > > > ""Howard C. Berkowitz"" wrote: > > > >Yes, it does make simple tasks a little more > complicated. However, using > > >inverse masking can make complex tasks much easier. > > > > > >Take this issue. Say you are asked to filter access > to all odd 192.168.x.0 > > >/24 routes. > > > > > > > > >Your method. > > > > > >192.168.1.0 255.255.255.0 > > >192.168.3.0 255.255.255.0 > > >192.168.5.0 255.255.255.0 > > >FAQ, list archives, and subscription info: > > > > > > I see your approach, Marc, and I have even > encountered real-world > > situations where such filtering might be > appropriate. It happened > > when an enterprise wanted to "leave room for > expansion", but didn't > > understand summarization. They assigned > odd-numbered subnets to > > different sites/areas, thinking the even ones would > be for future use. > > > > My approach, incidentally, is to figure out the > number of potential > > areas or sites, then divide by a power of 2, at > least 4, to be > > summarization-friendly. > > > > There's no question that your approach takes fewer > lines of code. > > Personally, I wouldn't use it except in a huge > network where there > > was no other way to fit that many lines into NVRAM. > > > > My motivation for not doing so is maintainability. > The more complex > > the mask, the more difficult it will be for some > subsequent > > administrator to figure out what was being done. I > might be more > > open to the idea if Cisco saved comments with the > configuration, but, > > of course, it doesn't. > > > > > > > > > __ > Do You Yahoo!? > Send your FREE holiday greetings online! > http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30541&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why use wildcard mask [7:30473]
Speaking only for myself, I look forward to your wit and wisdom when providing us wannabees with the knowledge we so desperately seek. While you're at it, can you provide us with a list of the RFC's you have written? And the books? I'd like to check them out. Anything to improve my own understanding of how things work. Best wishes, Chuck ""Cisco Cisco"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Howard, > If you actually worked on a router in the real world > rather than just tell people you do, you would know > that Cisco has supported access-list remarks for some > time now. > > Oh I'm sure you're going to reply to this e-mail with > some stupid story like, "This reminds me when I was > talking to a developer at Apple about Mac OS 1.0 but I > had never really worked on an Apple" or some worthless > story like that. > > Also do us all a favor and quit cross posting from > other mailing list. We don't want to see your replies > to the juniper and ccie mailing list posts. Cross > posting can be dangerous when you're on some of the > list the you are on wink, wink ;-) > > > ""Howard C. Berkowitz"" wrote: > > > >Yes, it does make simple tasks a little more > complicated. However, using > > >inverse masking can make complex tasks much easier. > > > > > >Take this issue. Say you are asked to filter access > to all odd 192.168.x.0 > > >/24 routes. > > > > > > > > >Your method. > > > > > >192.168.1.0 255.255.255.0 > > >192.168.3.0 255.255.255.0 > > >192.168.5.0 255.255.255.0 > > >FAQ, list archives, and subscription info: > > > > > > I see your approach, Marc, and I have even > encountered real-world > > situations where such filtering might be > appropriate. It happened > > when an enterprise wanted to "leave room for > expansion", but didn't > > understand summarization. They assigned > odd-numbered subnets to > > different sites/areas, thinking the even ones would > be for future use. > > > > My approach, incidentally, is to figure out the > number of potential > > areas or sites, then divide by a power of 2, at > least 4, to be > > summarization-friendly. > > > > There's no question that your approach takes fewer > lines of code. > > Personally, I wouldn't use it except in a huge > network where there > > was no other way to fit that many lines into NVRAM. > > > > My motivation for not doing so is maintainability. > The more complex > > the mask, the more difficult it will be for some > subsequent > > administrator to figure out what was being done. I > might be more > > open to the idea if Cisco saved comments with the > configuration, but, > > of course, it doesn't. > > > > > > > > > __ > Do You Yahoo!? > Send your FREE holiday greetings online! > http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30508&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Fwd: Re: Why use wildcard mask [7:30473]
> >Howard, >If you actually worked on a router in the real world >rather than just tell people you do, you would know >that Cisco has supported access-list remarks for some >time now. Well, first, if you read exactly what I wrote, it might be pertinent. I wasn't saying specifically access-list remarks, or the description command. When I write protocol code in C, for example, I may very well put a page of comments in with a particularly tricky routine. I'm talking about large amounts of comments in the configuration files. There are operational routers in tier 1 providers today that have a large sign on their consoles, "DO NOT SAVE TO NVRAM". The reason for this is that their exceptionally complex access lists, route maps, quality of service commands, etc., result in configurations too large to fit in NVRAM. They _must_ be stored and loaded from TFTP servers. Organizations like this have to be very careful about the use of comments, even in loadable files. > >Oh I'm sure you're going to reply to this e-mail with >some stupid story like, "This reminds me when I was >talking to a developer at Apple about Mac OS 1.0 but I >had never really worked on an Apple" or some worthless >story like that. Why, thank you! Perhaps I can call upon your services in future to tell me what I will do in other matters, before I decide what I will do. > >Also do us all a favor and quit cross posting from >other mailing list. We don't want to see your replies >to the juniper and ccie mailing list posts. Cross >posting can be dangerous when you're on some of the >list the you are on wink, wink ;-) I'm afraid "the list the you are on" doesn't quite parse. I do not routinely cross-post. Presumably, you are using the editorial "we," and have reasons for anonymous posting. I'm not ashamed to use my name on IETF, NANOG, etc., lists, or on the RFCs and I-D's I've written with intense peer review. But thank you for bringing a bit of whimsy into a quiet day. > > >""Howard C. Berkowitz"" wrote: > >> >Yes, it does make simple tasks a little more >complicated. However, using >> >inverse masking can make complex tasks much easier. >> > >> >Take this issue. Say you are asked to filter access >to all odd 192.168.x.0 >> >/24 routes. >> > >> > >> >Your method. >> > >> >192.168.1.0 255.255.255.0 >> >192.168.3.0 255.255.255.0 >> >192.168.5.0 255.255.255.0 >> >FAQ, list archives, and subscription info: >> >> >> I see your approach, Marc, and I have even >encountered real-world >> situations where such filtering might be >appropriate. It happened >> when an enterprise wanted to "leave room for >expansion", but didn't >> understand summarization. They assigned >odd-numbered subnets to >> different sites/areas, thinking the even ones would >be for future use. >> >> My approach, incidentally, is to figure out the >number of potential >> areas or sites, then divide by a power of 2, at >least 4, to be >> summarization-friendly. >> >> There's no question that your approach takes fewer >lines of code. >> Personally, I wouldn't use it except in a huge >network where there >> was no other way to fit that many lines into NVRAM. >> >> My motivation for not doing so is maintainability. >The more complex >> the mask, the more difficult it will be for some >subsequent >> administrator to figure out what was being done. I >might be more >> open to the idea if Cisco saved comments with the >configuration, but, >> of course, it doesn't. >> >> >> > > >__ >Do You Yahoo!? >Send your FREE holiday greetings online! >http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30501&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why use wildcard mask [7:30473]
Cisco Cisco, Please don't ever post on other peoples behalf if it includes me (Do us all a favour). You have not earned that right. I would never have someone like you representing me. I don't like a*se licking, so I'm not going to do that for Howard, but equally, I don't like smart a*ses. Seems that your low esteem provokes you to attack others without cause. Consider the following reply: "I believe that Cisco does allow access-list remarks now" Doesn't that seem friendlier. Are you this aggressive face to face or is this as I suspect, small man syndrome at it's best? See you at the lab one day, or at a job interview perhaps. Gaz ""Cisco Cisco"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Howard, > If you actually worked on a router in the real world > rather than just tell people you do, you would know > that Cisco has supported access-list remarks for some > time now. > > Oh I'm sure you're going to reply to this e-mail with > some stupid story like, "This reminds me when I was > talking to a developer at Apple about Mac OS 1.0 but I > had never really worked on an Apple" or some worthless > story like that. > > Also do us all a favor and quit cross posting from > other mailing list. We don't want to see your replies > to the juniper and ccie mailing list posts. Cross > posting can be dangerous when you're on some of the > list the you are on wink, wink ;-) > > > ""Howard C. Berkowitz"" wrote: > > > >Yes, it does make simple tasks a little more > complicated. However, using > > >inverse masking can make complex tasks much easier. > > > > > >Take this issue. Say you are asked to filter access > to all odd 192.168.x.0 > > >/24 routes. > > > > > > > > >Your method. > > > > > >192.168.1.0 255.255.255.0 > > >192.168.3.0 255.255.255.0 > > >192.168.5.0 255.255.255.0 > > >FAQ, list archives, and subscription info: > > > > > > I see your approach, Marc, and I have even > encountered real-world > > situations where such filtering might be > appropriate. It happened > > when an enterprise wanted to "leave room for > expansion", but didn't > > understand summarization. They assigned > odd-numbered subnets to > > different sites/areas, thinking the even ones would > be for future use. > > > > My approach, incidentally, is to figure out the > number of potential > > areas or sites, then divide by a power of 2, at > least 4, to be > > summarization-friendly. > > > > There's no question that your approach takes fewer > lines of code. > > Personally, I wouldn't use it except in a huge > network where there > > was no other way to fit that many lines into NVRAM. > > > > My motivation for not doing so is maintainability. > The more complex > > the mask, the more difficult it will be for some > subsequent > > administrator to figure out what was being done. I > might be more > > open to the idea if Cisco saved comments with the > configuration, but, > > of course, it doesn't. > > > > > > > > > __ > Do You Yahoo!? > Send your FREE holiday greetings online! > http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30500&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why use wildcard mask [7:30473]
Howard, If you actually worked on a router in the real world rather than just tell people you do, you would know that Cisco has supported access-list remarks for some time now. Oh I'm sure you're going to reply to this e-mail with some stupid story like, "This reminds me when I was talking to a developer at Apple about Mac OS 1.0 but I had never really worked on an Apple" or some worthless story like that. Also do us all a favor and quit cross posting from other mailing list. We don't want to see your replies to the juniper and ccie mailing list posts. Cross posting can be dangerous when you're on some of the list the you are on wink, wink ;-) ""Howard C. Berkowitz"" wrote: > >Yes, it does make simple tasks a little more complicated. However, using > >inverse masking can make complex tasks much easier. > > > >Take this issue. Say you are asked to filter access to all odd 192.168.x.0 > >/24 routes. > > > > > >Your method. > > > >192.168.1.0 255.255.255.0 > >192.168.3.0 255.255.255.0 > >192.168.5.0 255.255.255.0 > >FAQ, list archives, and subscription info: > > > I see your approach, Marc, and I have even encountered real-world > situations where such filtering might be appropriate. It happened > when an enterprise wanted to "leave room for expansion", but didn't > understand summarization. They assigned odd-numbered subnets to > different sites/areas, thinking the even ones would be for future use. > > My approach, incidentally, is to figure out the number of potential > areas or sites, then divide by a power of 2, at least 4, to be > summarization-friendly. > > There's no question that your approach takes fewer lines of code. > Personally, I wouldn't use it except in a huge network where there > was no other way to fit that many lines into NVRAM. > > My motivation for not doing so is maintainability. The more complex > the mask, the more difficult it will be for some subsequent > administrator to figure out what was being done. I might be more > open to the idea if Cisco saved comments with the configuration, but, > of course, it doesn't. > > > __ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30499&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why use wildcard mask [7:30473]
Good point - I was gutted when the contiguous rule came in. I love playing around with access lists. Same feeling when the GUI became available for the Pix. Job security fading away - making things easier :-) Sensible but saddening for the old folk. Gaz ""Chuck Larrieu"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > prior to IOS 12.x, the wild card mask method alowed quite a bit of > flexibility. Suppose you had all of your serers on a particular subnet, but > you wanted a different subset of those servers to be accessible from > different subnets. It used to be that you could specify something like > > access-list 101 permit ip 172.16.24.0 0.0.0.255 192.168.1.0 0.0.0.28 > access-list 101 permit ip 172.16.25.0 0.0.0.255 192.168.1.0 0.0.0.32 > access-list 101 permit ip 172.16.26.0 0.0.0.255 192.168.1.0 0.0.0.65 > > the first line would permit the dot 24 subnet to get to servers with > addresses of dot 4, dot 8, dot 12, dot 16, dot 20, dot 24, and dot 28 > the second line would permit the dot 25 subnet to access the server with the > address of dot 32 > the third line would permit the dot 26 subnet to get to servers dot 1, dot > 64, and dot 65 > > granted, this is a convoluted example. but it allowed flexibility and > creativity in design. > > granted too that you can still accomplish the same thing using the host > switch, or being a little more creative with the network specification. > > With the advent of IOS 12.x wildcard bits must be contiguous from the right, > so you lose this kind of power. Also takes the fun out of the network > a.b.c.d x.x.x.x area command in OSPF! > > BTW, Mark, I see these odd/even filtering questions in your study materials > and elsewhere. While I understand the goal of the exercise, it has always > struck me as a pretty bizarre premise. Where exactly in the real world is > there any design such that filtering by odd or even would be practical? Let > alone filtering by multiples of 4 or 8 or whatever? ( and yes, after two > runs through you know where, I fully appreciate that in some places, like > the brokerage firm where I used to work, there is very little relationship > between the requirements you are given and the real world ) > > Chuck > > > > > ""Marc Russell"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Yes, it does make simple tasks a little more complicated. However, using > > inverse masking can make complex tasks much easier. > > > > Take this issue. Say you are asked to filter access to all odd 192.168.x.0 > > /24 routes. > > > > > > Your method. > > > > 192.168.1.0 255.255.255.0 > > 192.168.3.0 255.255.255.0 > > 192.168.5.0 255.255.255.0 > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30498&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why use wildcard mask [7:30473]
For some reason, this thread makes me think about the all zeros broadcast. And how glad I am that it's not used anymore. That would confuse the hell outta me. Wonder if Howard's explanation might be the reason why all zero's was done at one time. Oh well, just another item to think about. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi All, > > I am trying to find out why we do an inverse/wildcard > masks while using access lists? > > For example, if I want to deny 192.168.1.0 255.255.255.0 > network, on the access list, we configure this > as 192.168.1.0 0.0.0.255, but why do we do it this > way instead of 255.255.255.0. > > All this seems to be is just an inverse relationship pointing back at the > same thing? Even if I want to get specific and deny 192.168.1.0 > 255.255.255.192, this translates to 192.168.1.0 0.0.0.63, which seems to be > just the standard mask and subtract 255.255.255.255. > > Is there a specific reason why we do inverse mask? It seems to be easier > just to configure it with normal masks. This way, we skip on an extra > procedure. > > thanks > Mike Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30491&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why use wildcard mask [7:30473]
>How is wildcard the natural method for hardware to match on? I can't >conceptualize it. I write it out in binary, and I can't figure out what >operation a processor would use to match on. Usually XOR, might be NAND or NOR in some cases. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30490&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why use wildcard mask [7:30473]
How is wildcard the natural method for hardware to match on? I can't conceptualize it. I write it out in binary, and I can't figure out what operation a processor would use to match on. ""Howard C. Berkowitz"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I asked one of the IOS developers about it, and he pointed out that > access lists were developed before subnetting. The wildcard mask is > the natural way hardware does matching. > > When subnets were defined, their documentation specified subnet > masks. With 20/20 hindsight, it might have been a good idea to go > back and change wildcard masks, but, of course, that would have > introduced compatibility problems. > > > > >I think is all originated from the principles of: > >1 = Do not Cares (Matches everything and anything) > >0 = Cares ( Matches only identical corresponding digit) > > > >Maybe it is a hang-on from the old binary digit stuff. Man you have no > >choice than to do the inverse, else your access-list would not work, except > >you are ready to develope a router IOS that will use the direct mask. > > > >Goodluck > > > >Regards. > >Oletu > > > >- Original Message - > >From: > >To: > >Sent: Saturday, December 29, 2001 10:50 PM > >Subject: Why use wildcard mask [7:30473] > > > > > >> Hi All, > >> > >> I am trying to find out why we do an inverse/wildcard > >> masks while using access lists? > >> > >> For example, if I want to deny 192.168.1.0 255.255.255.0 > >> network, on the access list, we configure this > >> as 192.168.1.0 0.0.0.255, but why do we do it this > >> way instead of 255.255.255.0. > >> > >> All this seems to be is just an inverse relationship pointing back at the > >> same thing? Even if I want to get specific and deny 192.168.1.0 > >> 255.255.255.192, this translates to 192.168.1.0 0.0.0.63, which seems to > >be > >> just the standard mask and subtract 255.255.255.255. > >> > >> Is there a specific reason why we do inverse mask? It seems to be easier > >> just to configure it with normal masks. This way, we skip on an extra > >> procedure. > >> > >> thanks > >> Mike > >_ > >Do You Yahoo!? > >Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30487&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why use wildcard mask [7:30473]
>With the advent of IOS 12.x wildcard bits must be contiguous from the right, >so you lose this kind of power. Also takes the fun out of the network >a.b.c.d x.x.x.x area command in OSPF! I hadn't noticed that. If so, it would not surprise me at all if Cisco is planning, long-term, to have one kind of mask. It's not quite the same thing, but assume some feature is on by default. In general, defaults don't show up in the show running. If the Cisco plan is to change the default to "no foo", you'll see the pattern: 1. Before the decision to change: nothing displayed 2. For some releases after the decision: foo 3. After the change is made: no foo 4. Many releases after the change: nothing displayed > >BTW, Mark, I see these odd/even filtering questions in your study materials >and elsewhere. While I understand the goal of the exercise, it has always >struck me as a pretty bizarre premise. Where exactly in the real world is >there any design such that filtering by odd or even would be practical? Let >alone filtering by multiples of 4 or 8 or whatever? ( and yes, after two >runs through you know where, I fully appreciate that in some places, like >the brokerage firm where I used to work, there is very little relationship >between the requirements you are given and the real world ) > >Chuck > > > > >""Marc Russell"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >> Yes, it does make simple tasks a little more complicated. However, using >> inverse masking can make complex tasks much easier. >> >> Take this issue. Say you are asked to filter access to all odd 192.168.x.0 >> /24 routes. >> >> >> Your method. >> >> 192.168.1.0 255.255.255.0 >> 192.168.3.0 255.255.255.0 >> 192.168.5.0 255.255.255.0 >> FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30485&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why use wildcard mask [7:30473]
>Yes, it does make simple tasks a little more complicated. However, using >inverse masking can make complex tasks much easier. > >Take this issue. Say you are asked to filter access to all odd 192.168.x.0 >/24 routes. > > >Your method. > >192.168.1.0 255.255.255.0 >192.168.3.0 255.255.255.0 >192.168.5.0 255.255.255.0 >FAQ, list archives, and subscription info: I see your approach, Marc, and I have even encountered real-world situations where such filtering might be appropriate. It happened when an enterprise wanted to "leave room for expansion", but didn't understand summarization. They assigned odd-numbered subnets to different sites/areas, thinking the even ones would be for future use. My approach, incidentally, is to figure out the number of potential areas or sites, then divide by a power of 2, at least 4, to be summarization-friendly. There's no question that your approach takes fewer lines of code. Personally, I wouldn't use it except in a huge network where there was no other way to fit that many lines into NVRAM. My motivation for not doing so is maintainability. The more complex the mask, the more difficult it will be for some subsequent administrator to figure out what was being done. I might be more open to the idea if Cisco saved comments with the configuration, but, of course, it doesn't. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30483&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why use wildcard mask [7:30473]
prior to IOS 12.x, the wild card mask method alowed quite a bit of flexibility. Suppose you had all of your serers on a particular subnet, but you wanted a different subset of those servers to be accessible from different subnets. It used to be that you could specify something like access-list 101 permit ip 172.16.24.0 0.0.0.255 192.168.1.0 0.0.0.28 access-list 101 permit ip 172.16.25.0 0.0.0.255 192.168.1.0 0.0.0.32 access-list 101 permit ip 172.16.26.0 0.0.0.255 192.168.1.0 0.0.0.65 the first line would permit the dot 24 subnet to get to servers with addresses of dot 4, dot 8, dot 12, dot 16, dot 20, dot 24, and dot 28 the second line would permit the dot 25 subnet to access the server with the address of dot 32 the third line would permit the dot 26 subnet to get to servers dot 1, dot 64, and dot 65 granted, this is a convoluted example. but it allowed flexibility and creativity in design. granted too that you can still accomplish the same thing using the host switch, or being a little more creative with the network specification. With the advent of IOS 12.x wildcard bits must be contiguous from the right, so you lose this kind of power. Also takes the fun out of the network a.b.c.d x.x.x.x area command in OSPF! BTW, Mark, I see these odd/even filtering questions in your study materials and elsewhere. While I understand the goal of the exercise, it has always struck me as a pretty bizarre premise. Where exactly in the real world is there any design such that filtering by odd or even would be practical? Let alone filtering by multiples of 4 or 8 or whatever? ( and yes, after two runs through you know where, I fully appreciate that in some places, like the brokerage firm where I used to work, there is very little relationship between the requirements you are given and the real world ) Chuck ""Marc Russell"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Yes, it does make simple tasks a little more complicated. However, using > inverse masking can make complex tasks much easier. > > Take this issue. Say you are asked to filter access to all odd 192.168.x.0 > /24 routes. > > > Your method. > > 192.168.1.0 255.255.255.0 > 192.168.3.0 255.255.255.0 > 192.168.5.0 255.255.255.0 > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30482&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why use wildcard mask [7:30473]
Yes, it does make simple tasks a little more complicated. However, using inverse masking can make complex tasks much easier. Take this issue. Say you are asked to filter access to all odd 192.168.x.0 /24 routes. Your method. 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why use wildcard mask [7:30473]
I asked one of the IOS developers about it, and he pointed out that access lists were developed before subnetting. The wildcard mask is the natural way hardware does matching. When subnets were defined, their documentation specified subnet masks. With 20/20 hindsight, it might have been a good idea to go back and change wildcard masks, but, of course, that would have introduced compatibility problems. >I think is all originated from the principles of: >1 = Do not Cares (Matches everything and anything) >0 = Cares ( Matches only identical corresponding digit) > >Maybe it is a hang-on from the old binary digit stuff. Man you have no >choice than to do the inverse, else your access-list would not work, except >you are ready to develope a router IOS that will use the direct mask. > >Goodluck > >Regards. >Oletu > >- Original Message - >From: >To: >Sent: Saturday, December 29, 2001 10:50 PM >Subject: Why use wildcard mask [7:30473] > > >> Hi All, >> >> I am trying to find out why we do an inverse/wildcard >> masks while using access lists? >> >> For example, if I want to deny 192.168.1.0 255.255.255.0 >> network, on the access list, we configure this >> as 192.168.1.0 0.0.0.255, but why do we do it this >> way instead of 255.255.255.0. >> >> All this seems to be is just an inverse relationship pointing back at the >> same thing? Even if I want to get specific and deny 192.168.1.0 >> 255.255.255.192, this translates to 192.168.1.0 0.0.0.63, which seems to >be >> just the standard mask and subtract 255.255.255.255. >> >> Is there a specific reason why we do inverse mask? It seems to be easier >> just to configure it with normal masks. This way, we skip on an extra >> procedure. >> >> thanks >> Mike >_ >Do You Yahoo!? >Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30479&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why use wildcard mask [7:30473]
I think is all originated from the principles of: 1 = Do not Cares (Matches everything and anything) 0 = Cares ( Matches only identical corresponding digit) Maybe it is a hang-on from the old binary digit stuff. Man you have no choice than to do the inverse, else your access-list would not work, except you are ready to develope a router IOS that will use the direct mask. Goodluck Regards. Oletu - Original Message - From: To: Sent: Saturday, December 29, 2001 10:50 PM Subject: Why use wildcard mask [7:30473] > Hi All, > > I am trying to find out why we do an inverse/wildcard > masks while using access lists? > > For example, if I want to deny 192.168.1.0 255.255.255.0 > network, on the access list, we configure this > as 192.168.1.0 0.0.0.255, but why do we do it this > way instead of 255.255.255.0. > > All this seems to be is just an inverse relationship pointing back at the > same thing? Even if I want to get specific and deny 192.168.1.0 > 255.255.255.192, this translates to 192.168.1.0 0.0.0.63, which seems to be > just the standard mask and subtract 255.255.255.255. > > Is there a specific reason why we do inverse mask? It seems to be easier > just to configure it with normal masks. This way, we skip on an extra > procedure. > > thanks > Mike _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30477&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Why use wildcard mask [7:30473]
Hi All, I am trying to find out why we do an inverse/wildcard masks while using access lists? For example, if I want to deny 192.168.1.0 255.255.255.0 network, on the access list, we configure this as 192.168.1.0 0.0.0.255, but why do we do it this way instead of 255.255.255.0. All this seems to be is just an inverse relationship pointing back at the same thing? Even if I want to get specific and deny 192.168.1.0 255.255.255.192, this translates to 192.168.1.0 0.0.0.63, which seems to be just the standard mask and subtract 255.255.255.255. Is there a specific reason why we do inverse mask? It seems to be easier just to configure it with normal masks. This way, we skip on an extra procedure. thanks Mike Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30473&t=30473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
