From: Brian McGahan (brian@cyscoexpert.com)
Date: Wed Apr 09 2003 - 12:25:24 GMT-3
Rick,
Yes, technically that explanation is correct, but it's
complicating the issue too much. The router computes access-list and
wildcard pairs based on the AND and XOR logic gates.
Attached is the thread '1 aggregated ACL' which covers this
issue. This thread is not yet in the archives. For a more detailed
explanation beyond this, see:
http://www.groupstudy.com/archives/ccielab/200210/msg02503.html
HTH
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
Toll Free: 866-CyscoXP
Outside US: 847.674.3392
Fax: 847.674.2625
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Brian McGahan
> Sent: Thursday, March 27, 2003 3:53 PM
> To: 'Daniel Garrity'; 'Kristof Ulrix'; ccielab@groupstudy.com
> Subject: RE: 1 aggregated ACL
>
> Daniel,
>
> Yes, that is true if you are looking for networks with anything
> in the last octet. Like I said, as with any CCIE question, it depends
> on how the question is worded.
>
> Suppose you are asked to deny the network 10.0.0.0 from being
> advertised to a neighbor. You are denying much more than just
10.0.0.0
> if your access-list reads:
>
> access-list 1 deny 10.0.0.0 0.255.255.255
> access-list 1 permit any
>
>
>
> HTH
>
> Brian McGahan, CCIE #8593
> Director of Design and Implementation
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> Toll Free: 866.CyscoXP
> Fax: 847.674.2625
>
>
> > -----Original Message-----
> > From: Daniel Garrity [mailto:ccie@garrityfamily.com]
> > Sent: Thursday, March 27, 2003 3:03 PM
> > To: Brian McGahan; Kristof Ulrix; ccielab@groupstudy.com
> > Subject: RE: 1 aggregated ACL
> >
> > Great explanation! There is, however, one change I would make.
> >
> >
> >
> > For the mask should be 10.4.110.255. Remember that the last octet is
> to
> > be entire subnet range. So the below example is actually for address
> > 0-255, in the last octet. So it should look like this.
> >
> > > 10100101.00011000.00101101.00000000
> > > 10100101.00011000.00101101.00000001
> > > 10100101.00011000.00101101.00000011
> > > 10100101.00011000.00101101.00000111
> > > 10100101.00011000.00101101.00001111
> > > 10100101.00011000.00101101.00011111
> > > 10100101.00011000.00101101.00011111
> > > 10100101.00011000.00101101.00111111
> > > 10100101.00011000.00101101.01111111
> > > 10100101.00011000.00101101.11111111
> >
> >
> > > 10100111.00011000.00101111.00000000
> > > 10100111.00011000.00101111.00000001
> > > 10100111.00011000.00101111.00000011
> > > 10100111.00011000.00101111.00000111
> > > 10100111.00011000.00101111.00001111
> > > 10100111.00011000.00101111.00011111
> > > 10100111.00011000.00101111.00011111
> > > 10100111.00011000.00101111.00111111
> > > 10100111.00011000.00101111.01111111
> > > 10100111.00011000.00101111.11111111
> >
> >
> > > 10101111.00011100.01000001.00000000
> > > 10101111.00011100.01000001.00000001
> > > 10101111.00011100.01000001.00000011
> > > 10101111.00011100.01000001.00000111
> > > 10101111.00011100.01000001.00001111
> > > 10101111.00011100.01000001.00011111
> > > 10101111.00011100.01000001.00011111
> > > 10101111.00011100.01000001.00111111
> > > 10101111.00011100.01000001.01111111
> > > && 10101111.00011100.01000001.11111111
> >
> > > ------------------------------------------
> > > 10100101.00011000.00000001.00000000 = 165.24.1.0
> > >
> > > ANDing them comes up with the network address.
> > >
> > > 10100101.00011000.00101101.00000000
> > > 10100101.00011000.00101101.00000001
> > > 10100101.00011000.00101101.00000011
> > > 10100101.00011000.00101101.00000111
> > > 10100101.00011000.00101101.00001111
> > > 10100101.00011000.00101101.00011111
> > > 10100101.00011000.00101101.00011111
> > > 10100101.00011000.00101101.00111111
> > > 10100101.00011000.00101101.01111111
> > > 10100101.00011000.00101101.11111111
> >
> >
> > > 10100111.00011000.00101111.00000000
> > > 10100111.00011000.00101111.00000001
> > > 10100111.00011000.00101111.00000011
> > > 10100111.00011000.00101111.00000111
> > > 10100111.00011000.00101111.00001111
> > > 10100111.00011000.00101111.00011111
> > > 10100111.00011000.00101111.00011111
> > > 10100111.00011000.00101111.00111111
> > > 10100111.00011000.00101111.01111111
> > > 10100111.00011000.00101111.11111111
> >
> >
> > > 10101111.00011100.01000001.00000000
> > > 10101111.00011100.01000001.00000001
> > > 10101111.00011100.01000001.00000011
> > > 10101111.00011100.01000001.00000111
> > > 10101111.00011100.01000001.00001111
> > > 10101111.00011100.01000001.00011111
> > > 10101111.00011100.01000001.00011111
> > > 10101111.00011100.01000001.00111111
> > > 10101111.00011100.01000001.01111111
> > > XOR 10101111.00011100.01000001.11111111
> > > ------------------------------------------
> > > 00001010.00000100.01101110.11111111 = 10.4.110.255
> >
> >
> >
> > HTH,
> >
> >
> > Dan
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Brian McGahan [mailto:brian@cyscoexpert.com]
> > Sent: Wednesday, March 26, 2003 8:40 AM
> > To: 'Kristof Ulrix'; ccielab@groupstudy.com
> > Subject: RE: 1 aggregated ACL
> >
> >
> > Kristof,
> >
> > Yes, this list does overlap a significant amount of address
> > space. Like any question on the CCIE Lab exam, the answer to a
> question
> > like this depends on what the question is exactly asking. If a
> question
> > asks you to match X amount of networks in the least amount of lines
> > possible, the following list is valid:
> >
> > Access-list 1 permit 0.0.0.0 255.255.255.255
> >
> > Although it matches everything, it technically matches all the
> > networks in the least amount of lines, which in this case is one.
If
> > the question is asking you to match X amount of networks in the
least
> > amount of lines possible, while at the same time not overlapping any
> > address space, this is a different matter.
> >
> > The logic of the answer I provided still remains however. To
> > compute the network you are checking, the router uses logical AND.
To
> > compute a wildcard, it uses a logical XOR.
> >
> >
> > HTH
> >
> > Brian McGahan, CCIE #8593
> > Director of Design and Implementation
> > brian@cyscoexpert.com
> >
> > CyscoExpert Corporation
> > Internetwork Consulting & Training
> > Toll Free: 866.CyscoXP
> > Fax: 847.674.2625
> >
> >
> > > -----Original Message-----
> > > From: Kristof Ulrix [mailto:kristof@uk-systems.com]
> > > Sent: Wednesday, March 26, 2003 10:33 AM
> > > To: Brian McGahan; ccielab@groupstudy.com
> > > Subject: RE: 1 aggregated ACL
> > >
> > > Brian,
> > >
> > > this looks right but it's not:
> > > if we take a look at the first bytes:
> > >
> > > Bytes to be selected in ACL:
> > > 165
> > > 167
> > > 175
> > >
> > > Your solution is 165 with wildcard 10.
> > >
> > > But:
> > > network 165 10100101
> > > mask 10 00001010
> > > Matches:
> > > 165 10100101
> > > 167 10100111
> > > 173 10101101 <--- This was not requested
> > > 175 10101111
> > >
> > > This means that the 173 network wil also be filtered.
> > >
> > > For the third byte your solution has a wildcard 110 (01101110b)
> > > It has 5 ones, this means 32 combinations will be filtered, and
only
> 3
> > are
> > > requested.
> > >
> > > The correct solution has 2 lines in the ACL:
> > >
> > > 165.24.45.0 mask 2.0.2.255
> > > 175.28.65.0 mask 0.0.0.255
> > >
> > > The AND-rule is correct for the network part,
> > > but you can't use the XOR for the mask.
> > >
> > >
> > > Kristof Ulrix
> > >
> > >
> > > -----Oorspronkelijk bericht-----
> > > Van: nobody@groupstudy.com [mailto:nobody@groupstudy.com]Namens
> Brian
> > > McGahan
> > > Verzonden: dinsdag 25 maart 2003 23:45
> > > Aan: 'ccie_studying'; 'Scott M. Livingston';
ccielab@groupstudy.com
> > > Onderwerp: RE: 1 aggregated ACL
> > >
> > >
> > > To find a network and wildcard pair, you need to use the AND and
XOR
> > > logic gates.
> > >
> > > A AND B
> > > _____________
> > > | A | B | out |
> > > | 0 | 0 | 0 |
> > > | 0 | 1 | 0 |
> > > | 1 | 0 | 0 |
> > > | 1 | 1 | 1 |
> > > -------------
> > >
> > >
> > > A XOR B
> > > _____________
> > > | A | B | out |
> > > | 0 | 0 | 0 |
> > > | 0 | 1 | 1 |
> > > | 1 | 0 | 1 |
> > > | 1 | 1 | 0 |
> > > -------------
> > >
> > >
> > >
> > > Write the networks out in binary you are trying to find the list
> for:
> > >
> > > 165.24.45.0
> > > 167.24.47.0
> > > 175.28.65.0
> > >
> > >
> > > 10100101.00011000.00101101.00000000
> > > 10100111.00011000.00101111.00000000
> > > && 10101111.00011100.01000001.00000000
> > > ------------------------------------------
> > > 10100101.00011000.00000001.00000000 = 165.24.1.0
> > >
> > > ANDing them comes up with the network address.
> > >
> > >
> > > 10100101.00011000.00101101.00000000
> > > 10100111.00011000.00101111.00000000
> > > XOR 10101111.00011100.01000001.00000000
> > > ------------------------------------------
> > > 00001010.00000100.01101110.00000000 = 10.4.110.0
> > >
> > > XORing them comes up with the wildcard address.
> > >
> > > Therefore, the most specific match for these three networks is:
> > >
> > > 165.24.1.0 10.4.110.0
> > >
> > >
> > > Here's another of my threads on the same topic:
> > >
> > > http://www.groupstudy.com/archives/ccielab/200210/msg02503.html
> > >
> > >
> > > HTH
> > >
> > > Brian McGahan, CCIE #8593
> > > Director of Design and Implementation
> > > brian@cyscoexpert.com
> > >
> > > CyscoExpert Corporation
> > > Internetwork Consulting & Training
> > > Toll Free: 866.CyscoXP
> > > Fax: 847.674.2625
> > >
> > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> > > Of
> > > > ccie_studying
> > > > Sent: Tuesday, March 25, 2003 2:37 PM
> > > > To: Scott M. Livingston; ccielab@groupstudy.com
> > > > Subject: Re: 1 aggregated ACL
> > > >
> > > > I think if only summary to one network, it should be:
> > > >
> > > > 164.24.32.0 with wildcard 15.7.15.255 or subnet mask
240.248.240.0
> > > >
> > > > ----- Original Message -----
> > > > From: "Scott M. Livingston" <scottl@sprinthosting.net>
> > > > To: <ccielab@groupstudy.com>
> > > > Sent: Tuesday, March 25, 2003 11:26 AM
> > > > Subject: 1 aggregated ACL
> > > >
> > > >
> > > > > This was posted on another board so I wanted to check the
answer
> > > that
> > > > > was given. It happens to be the same answer I came up with.
> Also,
> > > if
> > > > > someone has any other teasers maybe you can post them. I am
> using
> > > the
> > > > > formula Tim Fletcher taught those of us that were doing it
> another
> > > way
> > > > > (my wrong way :)).
> > > > >
> > > > > 165.24.45.0
> > > > > 167.24.47.0
> > > > > 175.28.65.0
> > > > >
> > > > >
> > > > > Answer:
> > > > > 165.24.1.0 mask 10.4.110.255
> > > > >
> > > > > thank you,
> > > > > scott
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:50 GMT-3