From: Daniel Garrity (ccie@garrityfamily.com)
Date: Thu Mar 27 2003 - 18:03:23 GMT-3
Great explanation! There is, however, one change I would make.
For the mask should be 10.4.110.255. Remember that the last octet is to
be entire subnet range. So the below example is actually for address
0-255, in the last octet. So it should look like this.
> 10100101.00011000.00101101.00000000
> 10100101.00011000.00101101.00000001
> 10100101.00011000.00101101.00000011
> 10100101.00011000.00101101.00000111
> 10100101.00011000.00101101.00001111
> 10100101.00011000.00101101.00011111
> 10100101.00011000.00101101.00011111
> 10100101.00011000.00101101.00111111
> 10100101.00011000.00101101.01111111
> 10100101.00011000.00101101.11111111
> 10100111.00011000.00101111.00000000
> 10100111.00011000.00101111.00000001
> 10100111.00011000.00101111.00000011
> 10100111.00011000.00101111.00000111
> 10100111.00011000.00101111.00001111
> 10100111.00011000.00101111.00011111
> 10100111.00011000.00101111.00011111
> 10100111.00011000.00101111.00111111
> 10100111.00011000.00101111.01111111
> 10100111.00011000.00101111.11111111
> 10101111.00011100.01000001.00000000
> 10101111.00011100.01000001.00000001
> 10101111.00011100.01000001.00000011
> 10101111.00011100.01000001.00000111
> 10101111.00011100.01000001.00001111
> 10101111.00011100.01000001.00011111
> 10101111.00011100.01000001.00011111
> 10101111.00011100.01000001.00111111
> 10101111.00011100.01000001.01111111
> && 10101111.00011100.01000001.11111111
> ------------------------------------------
> 10100101.00011000.00000001.00000000 = 165.24.1.0
>
> ANDing them comes up with the network address.
>
> 10100101.00011000.00101101.00000000
> 10100101.00011000.00101101.00000001
> 10100101.00011000.00101101.00000011
> 10100101.00011000.00101101.00000111
> 10100101.00011000.00101101.00001111
> 10100101.00011000.00101101.00011111
> 10100101.00011000.00101101.00011111
> 10100101.00011000.00101101.00111111
> 10100101.00011000.00101101.01111111
> 10100101.00011000.00101101.11111111
> 10100111.00011000.00101111.00000000
> 10100111.00011000.00101111.00000001
> 10100111.00011000.00101111.00000011
> 10100111.00011000.00101111.00000111
> 10100111.00011000.00101111.00001111
> 10100111.00011000.00101111.00011111
> 10100111.00011000.00101111.00011111
> 10100111.00011000.00101111.00111111
> 10100111.00011000.00101111.01111111
> 10100111.00011000.00101111.11111111
> 10101111.00011100.01000001.00000000
> 10101111.00011100.01000001.00000001
> 10101111.00011100.01000001.00000011
> 10101111.00011100.01000001.00000111
> 10101111.00011100.01000001.00001111
> 10101111.00011100.01000001.00011111
> 10101111.00011100.01000001.00011111
> 10101111.00011100.01000001.00111111
> 10101111.00011100.01000001.01111111
> XOR 10101111.00011100.01000001.11111111
> ------------------------------------------
> 00001010.00000100.01101110.11111111 = 10.4.110.255
HTH,
Dan
-----Original Message-----
From: Brian McGahan [mailto:brian@cyscoexpert.com]
Sent: Wednesday, March 26, 2003 8:40 AM
To: 'Kristof Ulrix'; ccielab@groupstudy.com
Subject: RE: 1 aggregated ACL
Kristof,
Yes, this list does overlap a significant amount of address
space. Like any question on the CCIE Lab exam, the answer to a question
like this depends on what the question is exactly asking. If a question
asks you to match X amount of networks in the least amount of lines
possible, the following list is valid:
Access-list 1 permit 0.0.0.0 255.255.255.255
Although it matches everything, it technically matches all the
networks in the least amount of lines, which in this case is one. If
the question is asking you to match X amount of networks in the least
amount of lines possible, while at the same time not overlapping any
address space, this is a different matter.
The logic of the answer I provided still remains however. To
compute the network you are checking, the router uses logical AND. To
compute a wildcard, it uses a logical XOR.
HTH
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
Toll Free: 866.CyscoXP
Fax: 847.674.2625
> -----Original Message-----
> From: Kristof Ulrix [mailto:kristof@uk-systems.com]
> Sent: Wednesday, March 26, 2003 10:33 AM
> To: Brian McGahan; ccielab@groupstudy.com
> Subject: RE: 1 aggregated ACL
>
> Brian,
>
> this looks right but it's not:
> if we take a look at the first bytes:
>
> Bytes to be selected in ACL:
> 165
> 167
> 175
>
> Your solution is 165 with wildcard 10.
>
> But:
> network 165 10100101
> mask 10 00001010
> Matches:
> 165 10100101
> 167 10100111
> 173 10101101 <--- This was not requested
> 175 10101111
>
> This means that the 173 network wil also be filtered.
>
> For the third byte your solution has a wildcard 110 (01101110b)
> It has 5 ones, this means 32 combinations will be filtered, and only 3
are
> requested.
>
> The correct solution has 2 lines in the ACL:
>
> 165.24.45.0 mask 2.0.2.255
> 175.28.65.0 mask 0.0.0.255
>
> The AND-rule is correct for the network part,
> but you can't use the XOR for the mask.
>
>
> Kristof Ulrix
>
>
> -----Oorspronkelijk bericht-----
> Van: nobody@groupstudy.com [mailto:nobody@groupstudy.com]Namens Brian
> McGahan
> Verzonden: dinsdag 25 maart 2003 23:45
> Aan: 'ccie_studying'; 'Scott M. Livingston'; ccielab@groupstudy.com
> Onderwerp: RE: 1 aggregated ACL
>
>
> To find a network and wildcard pair, you need to use the AND and XOR
> logic gates.
>
> A AND B
> _____________
> | A | B | out |
> | 0 | 0 | 0 |
> | 0 | 1 | 0 |
> | 1 | 0 | 0 |
> | 1 | 1 | 1 |
> -------------
>
>
> A XOR B
> _____________
> | A | B | out |
> | 0 | 0 | 0 |
> | 0 | 1 | 1 |
> | 1 | 0 | 1 |
> | 1 | 1 | 0 |
> -------------
>
>
>
> Write the networks out in binary you are trying to find the list for:
>
> 165.24.45.0
> 167.24.47.0
> 175.28.65.0
>
>
> 10100101.00011000.00101101.00000000
> 10100111.00011000.00101111.00000000
> && 10101111.00011100.01000001.00000000
> ------------------------------------------
> 10100101.00011000.00000001.00000000 = 165.24.1.0
>
> ANDing them comes up with the network address.
>
>
> 10100101.00011000.00101101.00000000
> 10100111.00011000.00101111.00000000
> XOR 10101111.00011100.01000001.00000000
> ------------------------------------------
> 00001010.00000100.01101110.00000000 = 10.4.110.0
>
> XORing them comes up with the wildcard address.
>
> Therefore, the most specific match for these three networks is:
>
> 165.24.1.0 10.4.110.0
>
>
> Here's another of my threads on the same topic:
>
> http://www.groupstudy.com/archives/ccielab/200210/msg02503.html
>
>
> HTH
>
> Brian McGahan, CCIE #8593
> Director of Design and Implementation
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> Toll Free: 866.CyscoXP
> Fax: 847.674.2625
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > ccie_studying
> > Sent: Tuesday, March 25, 2003 2:37 PM
> > To: Scott M. Livingston; ccielab@groupstudy.com
> > Subject: Re: 1 aggregated ACL
> >
> > I think if only summary to one network, it should be:
> >
> > 164.24.32.0 with wildcard 15.7.15.255 or subnet mask 240.248.240.0
> >
> > ----- Original Message -----
> > From: "Scott M. Livingston" <scottl@sprinthosting.net>
> > To: <ccielab@groupstudy.com>
> > Sent: Tuesday, March 25, 2003 11:26 AM
> > Subject: 1 aggregated ACL
> >
> >
> > > This was posted on another board so I wanted to check the answer
> that
> > > was given. It happens to be the same answer I came up with. Also,
> if
> > > someone has any other teasers maybe you can post them. I am using
> the
> > > formula Tim Fletcher taught those of us that were doing it another
> way
> > > (my wrong way :)).
> > >
> > > 165.24.45.0
> > > 167.24.47.0
> > > 175.28.65.0
> > >
> > >
> > > Answer:
> > > 165.24.1.0 mask 10.4.110.255
> > >
> > > thank you,
> > > scott
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:45 GMT-3