RE: Question about "right" math in calculating ACL

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Fri Oct 17 2003 - 17:57:44 GMT-3

• Next message: Ralph Simmons: "Re: How do CCIE numbers work?"
• Previous message: Cezar Fistik: "Re: OT:NIC Monitor"
• Maybe in reply to: Tsvetan Bratinov: "Question about "right" math in calculating ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tsvetan,

        Based on your network and wildcard, the resulting network that
actually shows up in the config is the logical AND of what you entered.
Also, the amount of addresses that are being checked are proportional to
the amount of bits set in the wildcard. For more info:

http://www.internetworkexpert.com/resources/01700370.htm

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Tsvetan Bratinov
> Sent: Wednesday, October 15, 2003 4:13 AM
> To: ccielab@groupstudy.com; nobody@groupstudy.com
> Subject: Question about "right" math in calculating ACL
>
> Hi group,
> I have a question about ACL
> In CCIE Practical studies Vol.1 in scenario Darth Reidis is such a
> question:
>
> Deny with as few lines as possible.
>
> Deny FTP,HTTP from 131.24.194.x
> Deny FTP,HTTP from 131.25.194.x
> Deny FTP,HTTP from 135.152.1.1
> Deny FTP,HTTP from 227.24.195.x
> Deny FTP,HTTP from 131.24.194.x
> Deny FTP,HTTP from 131.24.196.x
>
> When I do the binary math it looks like :
> 10000011.00011000.11000010.x
> 10000011.00011001.11000010.x
> 10000111.10011000.00000001.0000001
> 11100011.00011000.11000010.x
> 10000011.00011000.11000011.x
> 10000011.00011000.11000100.x
>
> and now becomes the nightmare:
> 1.Can I preform this in single line or I need to exclude the
135.152.1.1
> from the math and to put it on single ACL line ?
> 2. When there is don't care in the calculated address I can choose 1
> instead of 0.
> For example the first octet can be 10000011 with mask 01100100 and it
can
> be 11100111
> with mask 01100100. Am I wrong ? Is there rule about that ?
>
> Best regards
> Tsvetan Bratinov
> IT Specialist, IBM Bulgaria
> CCNP,CNE
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
>

• Next message: Ralph Simmons: "Re: How do CCIE numbers work?"
• Previous message: Cezar Fistik: "Re: OT:NIC Monitor"
• Maybe in reply to: Tsvetan Bratinov: "Question about "right" math in calculating ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:53:04 GMT-3