RE: Creating access-lists with minimum lines

From: Scott Morris (swm@emanon.com)
Date: Thu Mar 20 2003 - 12:22:46 GMT-3

• Next message: MADMAN: "Re: Frame-relay MTU"
• Previous message: OhioHondo: "RE: Trunk mystery"
• Maybe in reply to: CCIE FUN: "Creating access-lists with minimum lines"
• Next in thread: CCIE FUN: "RE: Creating access-lists with minimum lines"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well, if you're going to write an ACL that permits extra networks
anyway, why not just deny "any" or permit "any"? That's the least
number of lines we can do things in if we don't care what else gets in.

Minimal lines also means with the SPECIFIC matches of what was given to
you. So the 0.1.3.255 mask will permit more traffic than you're looking
for.

This HAS indeed been clarified with lab proctors (just in case the
overall logic is lost on some). But if you have doubts, ASK THE PROCTOR
YOURSELF!

Deny 135.152.1.1
Deny 131.24.194.0 0.1.0.255
Deny 131.24.193.0 0.0.2.255
Permit any

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott M. Livingston
Sent: Thursday, March 20, 2003 8:16 AM
To: 'OhioHondo'; 'CCIE FUN'; ccielab@groupstudy.com
Subject: RE: Creating access-lists with minimum lines

This one appears to be working for me. Consensus or do I have something
wrong? Forget about the protocol stuff; at this time I am just concerned
w/ the networks for this task. Thank you!

TASK (Excluding higher layer stuff)
-----------------------------------
deny 131.24.194.x
deny 131.25.194.x
deny 135.152.1.1
deny 131.24.195.x
deny 131.24.193.x

Possible Solution?
------------------
!
access-list 12 deny 135.152.1.1
access-list 12 deny 131.24.192.0 0.1.3.255
access-list 12 permit any
!

-scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
OhioHondo
Sent: Tuesday, March 18, 2003 1:18 PM
To: CCIE FUN; ccielab@groupstudy.com
Subject: RE: Creating access-lists with minimum lines

As in any of these "with as few lines as possible", the unanswered
question is always "How many additional networks are allowed?". If the
question desires a one line solution it should say so!!!!!

With no answer to the "How many additional" question, you can always
write a one line ACL to fit any number of networks. Can you allow 5
extra, 50 extra, 500 extra, 500000 extra? Who knows? But "How many"
question has to be answered prior to coming up with a "few as lines as
possible" solution.

Bad but it fits the criteria given:
deny tcp 131.24.192.0 120.255.255.255 eq ftp any
deny tcp 131.24.192.0 120.255.255.255 eq www any

Enough of that, given the 5 networks that you specified:
These 3 networks can be specified in a single ACL with 1 extra network
deny ftp, http from 131.24.194.x deny ftp, http from 131.24.195.x deny
ftp, http from 131.24.193.x deny tcp 131.24.192.0 0.0.3.255 eq ftp any
deny tcp 131.24.192.0 0.0.3.255 eq www any

These last two have seven bits that don't match. Any attempt to make one
ACL out of them would result in 128-2=126 extra networks (128 is 2 to
the 7th power). Networks that would be scattered over a broad spectrum.
I would make separate ACL's for each of them.

deny ftp, http from 131.25.194.x
deny ftp, http from 135.152.1.1

deny tcp 131.25.194.0 0.0.0.255 eq ftp any
deny tcp 131.25.194.0 0.0.0.255 eq www any
deny tcp 135.152.1.1 0.0.0.0 eq ftp any
deny tcp 135.152.1.1 0.0.0.0 eq www any

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
CCIE FUN
Sent: Tuesday, March 18, 2003 12:48 PM
To: ccielab@groupstudy.com
Subject: Creating access-lists with minimum lines

Hello all
I came across this lab question from the Karl solie
Darth reid lab (section VII, question # 1)

On the ethernet segment of R1, write a traffic filter
blocking data from the following sources:(use as few
lines as possible)

deny ftp, http from 131.24.194.x
deny ftp, http from 131.25.194.x
deny ftp, http from 135.152.1.1
deny ftp, http from 131.24.195.x
deny ftp, http from 131.24.193.x

when i did the calculation my solution was as follow:

ip access-list extended Myfilter
 deny tcp 131.0.0.0 8.159.195.1 eq ftp any
 deny tcp 131.0.0.0 8.159.195.1 eq www any
 permit ip any any

however the karl solie's solution for that question is

access-list 102 deny tcp 129.24.192.0 102.129.7.1 eq
ftp any
 deny tcp 129.24.192.0 102.129.7.1 eq www any
 permit tcp any any

I am little bit confused with the solution from
solie's book.

i am trying to figure out how that calculation was
done.

can anybody help

• Next message: MADMAN: "Re: Frame-relay MTU"
• Previous message: OhioHondo: "RE: Trunk mystery"
• Maybe in reply to: CCIE FUN: "Creating access-lists with minimum lines"
• Next in thread: CCIE FUN: "RE: Creating access-lists with minimum lines"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:42 GMT-3