From: Brian McGahan (brian@cyscoexpert.com)
Date: Thu Mar 27 2003 - 18:53:12 GMT-3
Daniel,
Yes, that is true if you are looking for networks with anything
in the last octet. Like I said, as with any CCIE question, it depends
on how the question is worded.
Suppose you are asked to deny the network 10.0.0.0 from being
advertised to a neighbor. You are denying much more than just 10.0.0.0
if your access-list reads:
access-list 1 deny 10.0.0.0 0.255.255.255
access-list 1 permit any
HTH
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
Toll Free: 866.CyscoXP
Fax: 847.674.2625
> -----Original Message-----
> From: Daniel Garrity [mailto:ccie@garrityfamily.com]
> Sent: Thursday, March 27, 2003 3:03 PM
> To: Brian McGahan; Kristof Ulrix; ccielab@groupstudy.com
> Subject: RE: 1 aggregated ACL
>
> Great explanation! There is, however, one change I would make.
>
>
>
> For the mask should be 10.4.110.255. Remember that the last octet is
to
> be entire subnet range. So the below example is actually for address
> 0-255, in the last octet. So it should look like this.
>
> > 10100101.00011000.00101101.00000000
> > 10100101.00011000.00101101.00000001
> > 10100101.00011000.00101101.00000011
> > 10100101.00011000.00101101.00000111
> > 10100101.00011000.00101101.00001111
> > 10100101.00011000.00101101.00011111
> > 10100101.00011000.00101101.00011111
> > 10100101.00011000.00101101.00111111
> > 10100101.00011000.00101101.01111111
> > 10100101.00011000.00101101.11111111
>
>
> > 10100111.00011000.00101111.00000000
> > 10100111.00011000.00101111.00000001
> > 10100111.00011000.00101111.00000011
> > 10100111.00011000.00101111.00000111
> > 10100111.00011000.00101111.00001111
> > 10100111.00011000.00101111.00011111
> > 10100111.00011000.00101111.00011111
> > 10100111.00011000.00101111.00111111
> > 10100111.00011000.00101111.01111111
> > 10100111.00011000.00101111.11111111
>
>
> > 10101111.00011100.01000001.00000000
> > 10101111.00011100.01000001.00000001
> > 10101111.00011100.01000001.00000011
> > 10101111.00011100.01000001.00000111
> > 10101111.00011100.01000001.00001111
> > 10101111.00011100.01000001.00011111
> > 10101111.00011100.01000001.00011111
> > 10101111.00011100.01000001.00111111
> > 10101111.00011100.01000001.01111111
> > && 10101111.00011100.01000001.11111111
>
> > ------------------------------------------
> > 10100101.00011000.00000001.00000000 = 165.24.1.0
> >
> > ANDing them comes up with the network address.
> >
> > 10100101.00011000.00101101.00000000
> > 10100101.00011000.00101101.00000001
> > 10100101.00011000.00101101.00000011
> > 10100101.00011000.00101101.00000111
> > 10100101.00011000.00101101.00001111
> > 10100101.00011000.00101101.00011111
> > 10100101.00011000.00101101.00011111
> > 10100101.00011000.00101101.00111111
> > 10100101.00011000.00101101.01111111
> > 10100101.00011000.00101101.11111111
>
>
> > 10100111.00011000.00101111.00000000
> > 10100111.00011000.00101111.00000001
> > 10100111.00011000.00101111.00000011
> > 10100111.00011000.00101111.00000111
> > 10100111.00011000.00101111.00001111
> > 10100111.00011000.00101111.00011111
> > 10100111.00011000.00101111.00011111
> > 10100111.00011000.00101111.00111111
> > 10100111.00011000.00101111.01111111
> > 10100111.00011000.00101111.11111111
>
>
> > 10101111.00011100.01000001.00000000
> > 10101111.00011100.01000001.00000001
> > 10101111.00011100.01000001.00000011
> > 10101111.00011100.01000001.00000111
> > 10101111.00011100.01000001.00001111
> > 10101111.00011100.01000001.00011111
> > 10101111.00011100.01000001.00011111
> > 10101111.00011100.01000001.00111111
> > 10101111.00011100.01000001.01111111
> > XOR 10101111.00011100.01000001.11111111
> > ------------------------------------------
> > 00001010.00000100.01101110.11111111 = 10.4.110.255
>
>
>
> HTH,
>
>
> Dan
>
>
>
>
>
> -----Original Message-----
> From: Brian McGahan [mailto:brian@cyscoexpert.com]
> Sent: Wednesday, March 26, 2003 8:40 AM
> To: 'Kristof Ulrix'; ccielab@groupstudy.com
> Subject: RE: 1 aggregated ACL
>
>
> Kristof,
>
> Yes, this list does overlap a significant amount of address
> space. Like any question on the CCIE Lab exam, the answer to a
question
> like this depends on what the question is exactly asking. If a
question
> asks you to match X amount of networks in the least amount of lines
> possible, the following list is valid:
>
> Access-list 1 permit 0.0.0.0 255.255.255.255
>
> Although it matches everything, it technically matches all the
> networks in the least amount of lines, which in this case is one. If
> the question is asking you to match X amount of networks in the least
> amount of lines possible, while at the same time not overlapping any
> address space, this is a different matter.
>
> The logic of the answer I provided still remains however. To
> compute the network you are checking, the router uses logical AND. To
> compute a wildcard, it uses a logical XOR.
>
>
> HTH
>
> Brian McGahan, CCIE #8593
> Director of Design and Implementation
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> Toll Free: 866.CyscoXP
> Fax: 847.674.2625
>
>
> > -----Original Message-----
> > From: Kristof Ulrix [mailto:kristof@uk-systems.com]
> > Sent: Wednesday, March 26, 2003 10:33 AM
> > To: Brian McGahan; ccielab@groupstudy.com
> > Subject: RE: 1 aggregated ACL
> >
> > Brian,
> >
> > this looks right but it's not:
> > if we take a look at the first bytes:
> >
> > Bytes to be selected in ACL:
> > 165
> > 167
> > 175
> >
> > Your solution is 165 with wildcard 10.
> >
> > But:
> > network 165 10100101
> > mask 10 00001010
> > Matches:
> > 165 10100101
> > 167 10100111
> > 173 10101101 <--- This was not requested
> > 175 10101111
> >
> > This means that the 173 network wil also be filtered.
> >
> > For the third byte your solution has a wildcard 110 (01101110b)
> > It has 5 ones, this means 32 combinations will be filtered, and only
3
> are
> > requested.
> >
> > The correct solution has 2 lines in the ACL:
> >
> > 165.24.45.0 mask 2.0.2.255
> > 175.28.65.0 mask 0.0.0.255
> >
> > The AND-rule is correct for the network part,
> > but you can't use the XOR for the mask.
> >
> >
> > Kristof Ulrix
> >
> >
> > -----Oorspronkelijk bericht-----
> > Van: nobody@groupstudy.com [mailto:nobody@groupstudy.com]Namens
Brian
> > McGahan
> > Verzonden: dinsdag 25 maart 2003 23:45
> > Aan: 'ccie_studying'; 'Scott M. Livingston'; ccielab@groupstudy.com
> > Onderwerp: RE: 1 aggregated ACL
> >
> >
> > To find a network and wildcard pair, you need to use the AND and XOR
> > logic gates.
> >
> > A AND B
> > _____________
> > | A | B | out |
> > | 0 | 0 | 0 |
> > | 0 | 1 | 0 |
> > | 1 | 0 | 0 |
> > | 1 | 1 | 1 |
> > -------------
> >
> >
> > A XOR B
> > _____________
> > | A | B | out |
> > | 0 | 0 | 0 |
> > | 0 | 1 | 1 |
> > | 1 | 0 | 1 |
> > | 1 | 1 | 0 |
> > -------------
> >
> >
> >
> > Write the networks out in binary you are trying to find the list
for:
> >
> > 165.24.45.0
> > 167.24.47.0
> > 175.28.65.0
> >
> >
> > 10100101.00011000.00101101.00000000
> > 10100111.00011000.00101111.00000000
> > && 10101111.00011100.01000001.00000000
> > ------------------------------------------
> > 10100101.00011000.00000001.00000000 = 165.24.1.0
> >
> > ANDing them comes up with the network address.
> >
> >
> > 10100101.00011000.00101101.00000000
> > 10100111.00011000.00101111.00000000
> > XOR 10101111.00011100.01000001.00000000
> > ------------------------------------------
> > 00001010.00000100.01101110.00000000 = 10.4.110.0
> >
> > XORing them comes up with the wildcard address.
> >
> > Therefore, the most specific match for these three networks is:
> >
> > 165.24.1.0 10.4.110.0
> >
> >
> > Here's another of my threads on the same topic:
> >
> > http://www.groupstudy.com/archives/ccielab/200210/msg02503.html
> >
> >
> > HTH
> >
> > Brian McGahan, CCIE #8593
> > Director of Design and Implementation
> > brian@cyscoexpert.com
> >
> > CyscoExpert Corporation
> > Internetwork Consulting & Training
> > Toll Free: 866.CyscoXP
> > Fax: 847.674.2625
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> > > ccie_studying
> > > Sent: Tuesday, March 25, 2003 2:37 PM
> > > To: Scott M. Livingston; ccielab@groupstudy.com
> > > Subject: Re: 1 aggregated ACL
> > >
> > > I think if only summary to one network, it should be:
> > >
> > > 164.24.32.0 with wildcard 15.7.15.255 or subnet mask 240.248.240.0
> > >
> > > ----- Original Message -----
> > > From: "Scott M. Livingston" <scottl@sprinthosting.net>
> > > To: <ccielab@groupstudy.com>
> > > Sent: Tuesday, March 25, 2003 11:26 AM
> > > Subject: 1 aggregated ACL
> > >
> > >
> > > > This was posted on another board so I wanted to check the answer
> > that
> > > > was given. It happens to be the same answer I came up with.
Also,
> > if
> > > > someone has any other teasers maybe you can post them. I am
using
> > the
> > > > formula Tim Fletcher taught those of us that were doing it
another
> > way
> > > > (my wrong way :)).
> > > >
> > > > 165.24.45.0
> > > > 167.24.47.0
> > > > 175.28.65.0
> > > >
> > > >
> > > > Answer:
> > > > 165.24.1.0 mask 10.4.110.255
> > > >
> > > > thank you,
> > > > scott
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:45 GMT-3