From: Brian McGahan (brian@cyscoexpert.com)
Date: Mon Oct 28 2002 - 22:27:27 GMT-3
Charles,
Access-list address and wildcard pair calculations are based
around the AND and XOR logic gates.
AND: The output is high only when both inputs A and B are high.
A AND B
_____________
| A | B | out |
| 0 | 0 | 0 |
| 0 | 1 | 0 |
| 1 | 0 | 0 |
| 1 | 1 | 1 |
-------------
XOR: The output is high when either of inputs A or B is high, but not if
both A and B are high.
A XOR B
_____________
| A | B | out |
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |
-------------
To find the most specific address and wildcard pair that will
match two addresses, A and B, we use the gates AND and XOR. The address
we will check in the access-list is A AND B. The wildcard used to check
in this list will be A XOR B.
access-list 1 permit [address_to_check] [wildcard_used_to_check]
Take the following example:
We have two IP addresses, 10.20.30.40, and 40.30.20.10. How do we
create an access-list that is the most specific match for these two
addresses? First, write both addresses out in binary:
10.20.30.40 = 00001010.00010100.00011110.00101000
40.30.20.10 = 00101000.00011110.00010100.00001010
To find the address_to_check, take the logical AND of these addresses.
00001010.00010100.00011110.00101000
&& 00101000.00011110.00010100.00001010
--------------------------------------
00001000.00010100.00010100.00001000
This is our address_to_check: 8.20.20.8
To find the matching wildcard_used_to_check, we take the logical XOR of
these addresses.
00001010.00010100.00011110.00101000
XOR 00101000.00011110.00010100.00001010
---------------------------------------
00100010.00001010.00001010.00100010
This is our wildcard_used_to_check: 34.10.10.34
Therefore, the most specific match for both 10.20.30.40 and 40.30.20.10
would be:
Access-list 1 permit 8.20.20.8 34.10.10.34
Here's one more:
A = 1.2.3.4
B = 5.6.7.8
1.2.3.4 = 00000001.00000010.00000011.00000100
5.6.7.8 = 00000101.00000110.00000111.00001000
A && B = 00000001.00000010.00000011.00000000
A XOR B = 00000100.00000100.00000100.00001100
Therefore the access-list would read:
access-list 1 permit 1.2.3.0 4.4.4.12
HTH
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
Voice: 847.674.3392
Fax: 847.674.2625
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Charles T. Alexander
> Sent: Monday, October 28, 2002 6:05 PM
> To: GroupStudy
> Subject: Solie Darth Reid Access list
>
> In section VII #1 there is the need to calculate a
> filter (corrected by errata) for which the answer is
> according to solution is
> access-list 101 deny tcp 129.24.192.0 102.129.7.1 eq
> ftp any
> I don't get that answer. I have looked in Caslow for
> approach but still have not gotten the answer. Does
> anyone have a paper on how to compute these rather
> complex wild cards.
>
>
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:58 GMT-3