From: Scott Morris (swm@emanon.com)
Date: Tue Sep 30 2003 - 11:49:10 GMT-3
Success rate varies by exam. :) Study time as well. I have been an
instructor for going on four years now, and teaching various courses
assists in preparing for the exam by keeping things fairly fresh in my
head. So my study techniques are a little different than most would go
through!
One of the nice things for the CCIE stuff is that for the most part
there is an incremental nature to them. By that, I mean that once you
get the R&S stuff down well, moving into security is an incremental
leap. A network is still a network. A routing protocol is still a
routing protocol. You're just adding a few extra things along the way.
Same thing with Service Provider. You're adding MPLS, but some of the
other underlying things are still the same they always were just with a
few additions!
Not to say that any of them are easy ('cause they aren't!) but after
you've dove in headfirst down one track, coming to the surface and
moving to another isn't as much of a leap as the first one.
I did a little article on some preparation methods for Packet magazine
earlier this year. It may be worthwhile to you. Hope to see you here!
Enjoy the journey!
http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac222/about_cisco_pac
ket_department09186a0080142dfb.html
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
CISSP, JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
-----Original Message-----
From: Kenneth Wygand [mailto:KWygand@customonline.com]
Sent: Tuesday, September 30, 2003 10:33 AM
To: Scott Morris; Daniel Sheedy; ccielab@groupstudy.com
Cc: Casey, Paul (6822)
Subject: RE: Access list filter in the shortest lines possible.
Good point Scott. Having passed four of these incredible exams of which
most people spend a lifetime trying for one, you must have a pretty
solid understanding of what the proctors are looking for!
Do you mind if I ask you how long it took you to study for your exams,
how your success rate was, and/or any other information related to your
success? You must have an amazing story with all those achievements...
See you there one day... :)
Kenneth E. Wygand
Systems Engineer, Project Services
CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+ Custom
Computer Specialists, Inc.
"It's not just about ending up where you want to be, it's about making
the most of the trip there." -Anonymous
-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Tuesday, September 30, 2003 10:23 AM
To: 'Daniel Sheedy'; ccielab@groupstudy.com
Cc: 'Casey, Paul (6822)'
Subject: RE: Access list filter in the shortest lines possible.
That's not pretty. Be careful to not lose the points...
Your answer:
Access-list 1 [permit | deny] 100.0.33.0 27.55.94.255
Original problem:
> > For example, say we are asked to filter the following routes using
> > the shortest nuber of lines possible
> >
> > 102.17.63.0
> > 126.22.61.0
> > 111.22.57.0
> > 125.33.101.0
> >
> > Can someone tell me the best access list to use to filter these
networks.
You have the gist of the idea down, but look at your solution. For the
first part, if you EVER end up with a starting network in your ACL that
doesn't match one of the things you were given to match in the
beginning, then that should indicate you have a problem. You will allow
more to come through that those you are trying to match.
Looking at your mask:
27 = 00011011 = 4 bits
55 = 00110111 = 5 bits
94 = 01011110 = 5 bits
So you are trying to summarize four networks with a mask that will allow
2^14 potential matches through. Last time I checked, 2^14 was more than
4! So in using the shortest number of lines possible from a pure
mathematical standpoint, you are allowing far more matches than those
four you are trying to filter. Is this a problem???
Depending on your scenarios, absolutely. Ask the proctor for
clarification on that if you feel like it, but the very clear response
I've received in the past (multiple occasions) is the most specific
match without extraneous matches. Watch the wording on your lab, and
certainly make sure that you don't infringe upon any other routes that
exist in your network. With 2^14 possible matches (2^14 - 4 extraneous
ones) you have a high chance of hitting something you shouldn't!
You should always have as few bits of difference (mask bits) as possible
and may have to create statements to avoid those extraneous matches.
(e.g. if you have three bits of difference (2^3 = 8 matches) but only 6
networks to match, create a deny/permit statement to avoid the 2 extra
matches, then your inclusive match. But with as many bits of difference
as you've discovered here, that is not technically feasible.
The shortest way to summarize these four specific routes is to list them
separately. You cannot join any of them toghether without having to
create a huge "exception list" that goes far beyond a total of four
statements.
Again, watch the wording of your scenario, and ask the proctor if you
have any doubts. Your approach to obtaining the answer is correct,
however the derived answer is not feasible for either real-world or the
CCIE lab.
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
CISSP, JNCIS, et al. IPExpert CCIE Program Manager IPExpert Sr.
Technical Instructor swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Daniel Sheedy
Sent: Tuesday, September 30, 2003 6:06 AM
To: ccielab@groupstudy.com
Cc: Casey, Paul (6822)
Subject: Re: Access list filter in the shortest lines possible.
Hi Paul,
Here is a document I had in my folder (no idea where it came from) but
it is great for this type of thing.
Cheers
Daniel Sheedy
Method for calculating complex route filters
Sometimes you are asked to filter a complex set of routes using as few
lines as possible. Here we will examine a way to calculate the subnet
and wildcard for such a scenario. With some practice, you should be
able to calculate any set in 5 minutes or less. I also recommend
testing your results in a lab setting, using loopbacks and
distribute-lists.
For example, say we are asked to filter the following routes using a
one-line filter:
102.17.63.0
126.22.61.0
111.22.57.0
125.33.101.0
First, make a table as shown:
128
64
32
16
8
4
2
1
Result
Subnet
Wildcard Mask
Then, enter the decimal digits from the first octet in the left-hand
column. Convert each number to binary. I use Windows Calculator set to
Scientific Mode to do the conversion.
128
64
32
16
8
4
2
1
Result
102
0
1
1
0
0
1
1
0
126
0
1
1
1
1
1
1
0
111
0
1
1
0
1
1
1
1
125
0
1
1
1
1
1
0
1
Subnet
Wildcard Mask
In the binary area, column by column, apply the following rules:
1.. If the column is all 0's, the subnet is 0, and the mask is 0
2.. If the column is all 1's, the subnet is 1, and the mask is 0
3.. If the column is a mixture of 1's and 0's, the subnet is 0, and
the mask is 1.
The table should look like:
128
64
32
16
8
4
2
1
Result
102
0
1
1
0
0
1
1
0
126
0
1
1
1
1
1
1
0
111
0
1
1
0
1
1
1
1
125
0
1
1
1
1
1
0
1
Subnet
0
1
1
0
0
1
0
0
Wildcard Mask
0
0
0
1
1
0
1
1
Convert the binary Subnet and Wildcard Mask to decimal thus:
128
64
32
16
8
4
2
1
Result
102
0
1
1
0
0
1
1
0
126
0
1
1
1
1
1
1
0
111
0
1
1
0
1
1
1
1
125
0
1
1
1
1
1
0
1
Subnet
0
1
1
0
0
1
0
0
100
Wildcard Mask
0
0
0
1
1
0
1
1
27
So far, our filter looks like: 100.xxx.xxx.xxx 27.xxx.xxx.xxx
Our second octet needs to filter 17, 22 and 33. Using the same method,
our
growing filter would become: 100.0.xxx.xxx 27.55.xxx.xxx
Third octet, 57, 61, 63 and 101 result in: 100.0.33.xxx 27.55.94.xxx
The final octet is easy, since we will allow anything. So our final
result
becomes:
100.0.33.0 27.55.94.255
We can now create our access list:
Access-list 1 [permit | deny] 100.0.33.0 27.55.94.255
----- Original Message -----
From: "Casey, Paul (6822)" <Paul.Casey@o2.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, September 30, 2003 10:42 AM
Subject: RE: Access list filter in the shortest lines possible.
> > Hello,
> >
> > For example, say we are asked to filter the following routes using
> > the shortest nuber of lines possible
> >
> > 102.17.63.0
> > 126.22.61.0
> > 111.22.57.0
> > 125.33.101.0
> >
> > Can someone tell me the best access list to use to filter these
networks.
> >
> > Thanks in advance.
> > Kind regards.
> >
> >
> >
> >
>
>
>
************************************************************************
****
************
>
> This E-mail is from O2. The E-mail and any files
> transmitted with it are confidential and may also be privileged and
intended
> solely for the use of the individual or entity to whom they are
> addressed. Any unauthorised direct or indirect dissemination,
> distribution or copying of this message and any attachments is
> strictly prohibited. If you have received the E-mail in error please
notify postmaster@O2.com or
> telephone ++ 353 1 6095000.
>
>
************************************************************************
****
*************
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:40 GMT-3