Creating access-lists with minimum lines

From: Rick (ccie_2003@hotmail.com)
Date: Wed Apr 09 2003 - 00:49:12 GMT-3

All,

Does anyboby have some hard rules on how to create access-list with the minmum
ammount of lines? I have a document I found somewhere, but It seems to a
little incorrect. Please let me know what you think? I would like to really
clear this issue up for a lot of people including myself :)

Thanks,
Rick

Method for calculating complex route filters

Sometimes you are asked to filter a complex set of routes using as few lines
as possible. Here we will examine a way to calculate the subnet and wildcard
for such a scenario. With some practice, you should be able to calculate any
set in 5 minutes or less. I also recommend testing your results in a lab
setting, using loopbacks and distribute-lists.

For example, say we are asked to filter the following routes using a one-line
filter:

102.17.63.0

126.22.61.0

111.22.57.0

125.33.101.0

First, make a table as shown:

     128
     64
     32
     16
     8
     4
     2
     1
     Result

      Subnet

      Wildcard Mask

Then, enter the decimal digits from the first octet in the left-hand column.
Convert each number to binary. I use Windows Calculator set to Scientific
Mode to do the conversion.

     128
     64
     32
     16
     8
     4
     2
     1
     Result

      102
     0
     1
     1
     0
     0
     1
     1
     0

      126
     0
     1
     1
     1
     1
     1
     1
     0

      111
     0
     1
     1
     0
     1
     1
     1
     1

      125
     0
     1
     1
     1
     1
     1
     0
     1

      Subnet

      Wildcard Mask

In the binary area, column by column, apply the following rules:

  1.. If the column is all 0's, the subnet is 0, and the mask is 0
  2.. If the column is all 1's, the subnet is 1, and the mask is 0
  3.. If the column is a mixture of 1's and 0's, the subnet is 0, and the mask
is 1.

The table should look like:

     128
     64
     32
     16
     8
     4
     2
     1
     Result

      102
     0
     1
     1
     0
     0
     1
     1
     0

      126
     0
     1
     1
     1
     1
     1
     1
     0

      111
     0
     1
     1
     0
     1
     1
     1
     1

      125
     0
     1
     1
     1
     1
     1
     0
     1

      Subnet
     0
     1
     1
     0
     0
     1
     0
     0

      Wildcard Mask
     0
     0
     0
     1
     1
     0
     1
     1

Convert the binary Subnet and Wildcard Mask to decimal thus:

     128
     64
     32
     16
     8
     4
     2
     1
     Result

      102
     0
     1
     1
     0
     0
     1
     1
     0

      126
     0
     1
     1
     1
     1
     1
     1
     0

      111
     0
     1
     1
     0
     1
     1
     1
     1

      125
     0
     1
     1
     1
     1
     1
     0
     1

      Subnet
     0
     1
     1
     0
     0
     1
     0
     0
     100

      Wildcard Mask
     0
     0
     0
     1
     1
     0
     1
     1
     27

So far, our filter looks like: 100.xxx.xxx.xxx 27.xxx.xxx.xxx

Our second octet needs to filter 17, 22 and 33. Using the same method, our
growing filter would become: 100.0.xxx.xxx 27.55.xxx.xxx

Third octet, 57, 61, 63 and 101 result in: 100.0.33.xxx 27.55.94.xxx

The final octet is easy, since we will allow anything. So our final result
becomes:

100.0.33.0 27.55.94.255

We can now create our access list:

Access-list 1 [permit | deny] 100.0.33.0 27.55.94.255

This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:50 GMT-3