RE: Creating access-lists with minimum lines

From: OhioHondo (ohiohondo@columbus.rr.com)
Date: Tue Mar 18 2003 - 16:18:28 GMT-3

• Next message: Frank Maisano: "RE: Custom Queue and Class Base Weight Fair Queue"
• Previous message: Yinka Daramola: "Re: port filtering"
• Maybe in reply to: CCIE FUN: "Creating access-lists with minimum lines"
• Next in thread: Voss, David: "RE: Creating access-lists with minimum lines"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

As in any of these "with as few lines as possible", the unanswered question
is always "How many additional networks are allowed?". If the question
desires a one line solution it should say so!!!!!

With no answer to the "How many additional" question, you can always write a
one line ACL to fit any number of networks. Can you allow 5 extra, 50 extra,
500 extra, 500000 extra? Who knows? But "How many" question has to be
answered prior to coming up with a "few as lines as possible" solution.

Bad but it fits the criteria given:
deny tcp 131.24.192.0 120.255.255.255 eq ftp any
deny tcp 131.24.192.0 120.255.255.255 eq www any

Enough of that, given the 5 networks that you specified:
These 3 networks can be specified in a single ACL with 1 extra network
deny ftp, http from 131.24.194.x
deny ftp, http from 131.24.195.x
deny ftp, http from 131.24.193.x
deny tcp 131.24.192.0 0.0.3.255 eq ftp any
deny tcp 131.24.192.0 0.0.3.255 eq www any

These last two have seven bits that don't match. Any attempt to make one ACL
out of them would result in 128-2=126 extra networks (128 is 2 to the 7th
power). Networks that would be scattered over a broad spectrum. I would make
separate ACL's for each of them.

deny ftp, http from 131.25.194.x
deny ftp, http from 135.152.1.1

deny tcp 131.25.194.0 0.0.0.255 eq ftp any
deny tcp 131.25.194.0 0.0.0.255 eq www any
deny tcp 135.152.1.1 0.0.0.0 eq ftp any
deny tcp 135.152.1.1 0.0.0.0 eq www any

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
CCIE FUN
Sent: Tuesday, March 18, 2003 12:48 PM
To: ccielab@groupstudy.com
Subject: Creating access-lists with minimum lines

Hello all
I came across this lab question from the Karl solie
Darth reid lab (section VII, question # 1)

On the ethernet segment of R1, write a traffic filter
blocking data from the following sources:(use as few
lines as possible)

deny ftp, http from 131.24.194.x
deny ftp, http from 131.25.194.x
deny ftp, http from 135.152.1.1
deny ftp, http from 131.24.195.x
deny ftp, http from 131.24.193.x

when i did the calculation my solution was as follow:

ip access-list extended Myfilter
 deny tcp 131.0.0.0 8.159.195.1 eq ftp any
 deny tcp 131.0.0.0 8.159.195.1 eq www any
 permit ip any any

however the karl solie's solution for that question is

access-list 102 deny tcp 129.24.192.0 102.129.7.1 eq
ftp any
 deny tcp 129.24.192.0 102.129.7.1 eq www any
 permit tcp any any

I am little bit confused with the solution from
solie's book.

i am trying to figure out how that calculation was
done.

can anybody help

• Next message: Frank Maisano: "RE: Custom Queue and Class Base Weight Fair Queue"
• Previous message: Yinka Daramola: "Re: port filtering"
• Maybe in reply to: CCIE FUN: "Creating access-lists with minimum lines"
• Next in thread: Voss, David: "RE: Creating access-lists with minimum lines"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:41 GMT-3