From: CCIE FUN (ccieexam2002@yahoo.com)
Date: Fri Mar 21 2003 - 00:44:32 GMT-3
I agree with the solution presented below from scott
morris.
Thanks for your help guys.
however i will make sure i ask the proctor if i get
these kind of weird questions to be on the safe side.
thanks again,
--- Scott Morris <swm@emanon.com> wrote:
> Well, if you're going to write an ACL that permits
> extra networks
> anyway, why not just deny "any" or permit "any"?
> That's the least
> number of lines we can do things in if we don't care
> what else gets in.
>
> Minimal lines also means with the SPECIFIC matches
> of what was given to
> you. So the 0.1.3.255 mask will permit more traffic
> than you're looking
> for.
>
> This HAS indeed been clarified with lab proctors
> (just in case the
> overall logic is lost on some). But if you have
> doubts, ASK THE PROCTOR
> YOURSELF!
>
> Deny 135.152.1.1
> Deny 131.24.194.0 0.1.0.255
> Deny 131.24.193.0 0.0.2.255
> Permit any
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Scott M. Livingston
> Sent: Thursday, March 20, 2003 8:16 AM
> To: 'OhioHondo'; 'CCIE FUN'; ccielab@groupstudy.com
> Subject: RE: Creating access-lists with minimum
> lines
>
>
> This one appears to be working for me. Consensus or
> do I have something
> wrong? Forget about the protocol stuff; at this time
> I am just concerned
> w/ the networks for this task. Thank you!
>
> TASK (Excluding higher layer stuff)
> -----------------------------------
> deny 131.24.194.x
> deny 131.25.194.x
> deny 135.152.1.1
> deny 131.24.195.x
> deny 131.24.193.x
>
>
> Possible Solution?
> ------------------
> !
> access-list 12 deny 135.152.1.1
> access-list 12 deny 131.24.192.0 0.1.3.255
> access-list 12 permit any
> !
>
> -scott
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> OhioHondo
> Sent: Tuesday, March 18, 2003 1:18 PM
> To: CCIE FUN; ccielab@groupstudy.com
> Subject: RE: Creating access-lists with minimum
> lines
>
> As in any of these "with as few lines as possible",
> the unanswered
> question is always "How many additional networks are
> allowed?". If the
> question desires a one line solution it should say
> so!!!!!
>
> With no answer to the "How many additional"
> question, you can always
> write a one line ACL to fit any number of networks.
> Can you allow 5
> extra, 50 extra, 500 extra, 500000 extra? Who knows?
> But "How many"
> question has to be answered prior to coming up with
> a "few as lines as
> possible" solution.
>
> Bad but it fits the criteria given:
> deny tcp 131.24.192.0 120.255.255.255 eq ftp any
> deny tcp 131.24.192.0 120.255.255.255 eq www any
>
> Enough of that, given the 5 networks that you
> specified:
> These 3 networks can be specified in a single ACL
> with 1 extra network
> deny ftp, http from 131.24.194.x deny ftp, http from
> 131.24.195.x deny
> ftp, http from 131.24.193.x deny tcp 131.24.192.0
> 0.0.3.255 eq ftp any
> deny tcp 131.24.192.0 0.0.3.255 eq www any
>
>
> These last two have seven bits that don't match. Any
> attempt to make one
> ACL out of them would result in 128-2=126 extra
> networks (128 is 2 to
> the 7th power). Networks that would be scattered
> over a broad spectrum.
> I would make separate ACL's for each of them.
>
> deny ftp, http from 131.25.194.x
> deny ftp, http from 135.152.1.1
>
> deny tcp 131.25.194.0 0.0.0.255 eq ftp any
> deny tcp 131.25.194.0 0.0.0.255 eq www any
> deny tcp 135.152.1.1 0.0.0.0 eq ftp any
> deny tcp 135.152.1.1 0.0.0.0 eq www any
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> CCIE FUN
> Sent: Tuesday, March 18, 2003 12:48 PM
> To: ccielab@groupstudy.com
> Subject: Creating access-lists with minimum lines
>
>
> Hello all
> I came across this lab question from the Karl solie
> Darth reid lab (section VII, question # 1)
>
> On the ethernet segment of R1, write a traffic
> filter
> blocking data from the following sources:(use as few
> lines as possible)
>
> deny ftp, http from 131.24.194.x
> deny ftp, http from 131.25.194.x
> deny ftp, http from 135.152.1.1
> deny ftp, http from 131.24.195.x
> deny ftp, http from 131.24.193.x
>
>
> when i did the calculation my solution was as
> follow:
>
> ip access-list extended Myfilter
> deny tcp 131.0.0.0 8.159.195.1 eq ftp any
> deny tcp 131.0.0.0 8.159.195.1 eq www any
> permit ip any any
>
> however the karl solie's solution for that question
> is
>
>
> access-list 102 deny tcp 129.24.192.0 102.129.7.1 eq
> ftp any
> deny tcp 129.24.192.0 102.129.7.1 eq www any
> permit tcp any any
>
>
> I am little bit confused with the solution from
> solie's book.
>
> i am trying to figure out how that calculation was
> done.
>
> can anybody help
>
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Platinum - Watch CBS' NCAA March Madness,
> live on your desktop!
> http://platinum.yahoo.com
>
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:43 GMT-3