From: Brian McGahan (brian@xxxxxxxxxxxxxxx)
Date: Tue Jul 16 2002 - 21:16:37 GMT-3
Now that I'm thinking about this a bit more, I'm starting to confuse
myself. When you have two addresses and you're trying to figure out the
most specific wildcard to match them, the operation is XOR. For
example:
10000000 <-- 128
00000001 <-- 1
--------
10000001 <-- 129 wildcard
10000000 <-- 128
10000001 <-- 129
--------
00000001 <-- 1 wildcard
The truth table for XOR is:
__XOR__
0 0 | 0
0 1 | 1
1 0 | 1
1 1 | 0
However, if you extend XOR to a 3 digit comparison, you get:
___XOR___
0 0 0 | 0
0 1 0 | 1
1 0 0 | 1
1 1 0 | 0
0 0 1 | 1
0 1 1 | 0
1 0 1 | 0
1 1 1 | 1
and this is not the wildcard operation.
So what is the wildcard operation? A pseudo extended XOR? For more
info on logic gates:
http://www.shef.ac.uk/uni/academic/N-Q/phys/teaching/phy107/othergates.h
tml
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
http://www.cyscoexpert.com
Voice: 847.674.3392
Fax: 847.674.2625
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Hemant_Kumar@BERLEX.COM
Sent: Tuesday, July 16, 2002 6:39 PM
To: Darek Kuzma
Cc: ccielab@groupstudy.com; nobody@groupstudy.com
Subject: Re: ACL fewest numbers of lines
Darek,
Very good explaination. Can you direct me where i can get more
information
on this. I have been looking for such explaination but never found any
document that would explain it.
Thanks
HK
Darek Kuzma
<darekk@opton
line.net> To: ccielab@groupstudy.com
Sent by: cc:
nobody@groups Subject:
tudy.com Re: ACL fewest numbers of lines
07/17/2002
12:41 AM
Please
respond to
Darek Kuzma
Alex,
We can write one line ACL which will deny networks you specified but it
will also deny the whole bunch of other IPs.
Assuming that listed networks are /24s ACL is:
deny ip 128.3.1.0 109.252.56.255
Formula is:
write all adresses in binary one under another
10001100.11000111.00111001.00000000
10100001.11000111.00111001.00000000
11001001.00111011.00000001.00000000
11001001.00111111.00000001.00000000
if in a column we have all "0" or all "1" it means that wildcard mask
must be 0 - care; 1 otherwise:
01101101.11111100.00111001.11111111 (last octet is 255 because of
assumtion of /24 networks)
if mask bit=0 network bit is 0 or 1 depending whether bit was all "0" or
all "1" (because we "care")
if mask bit=1 network bit is 0 or 1 (anyway mask is "don't care). I'm
putting all "0"
10000000.00000011.00000001.00000000
result is: 128.3.1.0 109.252.56.255
Thanks,
Darek Kuzma
Alex wrote:
> Requirement:
>
> Create an access list with the fewest numbers of lines to deny.
>
> 140.199.57.0
> 161.199.57.0
> 201.59.1.0
> 201.63.1.0
>
> I can do it in 3 lines but I believe that there is a way to do it in 1
>
> line? any body know?
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:33 GMT-3