From: William Lijewski (wlijewski@cox.net)
Date: Wed Mar 31 2004 - 22:08:04 GMT-3
I'll see if I can help explain this to you.
For the third octet we have two numbers 1 and 3. Breaking them down into
binary we get:
128 64 32 16 8 4 2 1
1 - 0 0 0 0 0 0 0 1
3 - 0 0 0 0 0 0 1 1
We can see that all of the bits match between 1 and 3 except for the '2
bit'. The two bit is off for 1 and on for 3. We have one bit that is
different which give us a possible 2 networks that we can match (1^2=2). We
happen to have both of those possible networks so we can combine 1 and 3
together into a single entry. We will need to figure out what the Wildcard
mask and our standard for this octet will be.
First we will figure out the wildcard by placing a 1 in the 'I don't care'
positions and a 0 in the 'I care' positions. We will then add up the bit
total of the 'I don't care' positions.
128 64 32 16 8 4 2 1
1 - 0 0 0 0 0 0 0 1
3 - 0 0 0 0 0 0 1 1
wcb - 0 0 0 0 0 0 1 0
The only bit that we don't care about is the '2 bit'. We will take the
value of that bit for our wildcard, so 2 will be our wildcard. Now we need
to figure out what our standard will be. If we have all of the possible
combinations of networks that we can match our standard will always be the
lowest numbered network. In this case 1. The other way to do it is to add
up all of the bit values of the 'I care' bits. In this case the only 'I
care' bit that is on is 1.
So for the third octet we will have 1 with a wildcard mask of 2.
Now for the fourth octet we have 2, 10, 18, and 26. If we break all of
these down into binary we get:
128 64 32 16 8 4 2 1
2 - 0 0 0 0 0 0 1 0
10 - 0 0 0 0 1 0 1 0
18 - 0 0 0 1 0 0 1 0
26 - 0 0 0 1 1 0 1 0
If we take a look at what bits match we will see that they all match except
for two of them. Since we have 2 bits that don't match (the 16 and 8 bit)we
have four possible networks that this would match if we combined it (2^2=4).
We happen to have all four possible networks so we can combine these four
together.
Again we will figure out the wildcard by placing a 1 in the 'I don't care'
positions and a 0 in the 'I care' positions. We will then add up the bit
total of the 'I don't care' positions.
128 64 32 16 8 4 2 1
2 - 0 0 0 0 0 0 1 0
10 - 0 0 0 0 1 0 1 0
18 - 0 0 0 1 0 0 1 0
26 - 0 0 0 1 1 0 1 0
wcb - 0 0 0 1 1 0 0 0
The bits that we don't care about are the '16 bit' and the '8 bit'. We will
take the value of those bits and add them together to get a wildcard of 24
(16+8=24). Again we need to figure out what our standard will be. We have
all of the possible combinations of networks again so our standard will be
the lowest network we are combining, in this case 2. Again we could also
take the values of the 'I care' bits and add them together. The only 'I
care' bit that is on is 2, so that would also get us our standard of 2.
So the fourth octet will have 2 with a wildcard of 24.
X.X.1.2 0.0.2.24
This will permit of deny exactly those 8 routes.
Hope that helps some,
Bill Lijewski
CCIE #8642
Network Learning Inc
5 Day R&S CCIE Bootcamp Instructor
bill@eccie.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joseph D. Phillips
Sent: Wednesday, March 31, 2004 4:32 PM
To: Scott, Tyson C
Cc: Group Study (E-mail)
Subject: RE: Access list [bcc][faked-from]
Importance: Low
Wow, cool. Thank you.
-----Original Message-----
From: Scott, Tyson C [mailto:tyson.scott@hp.com]
Sent: Wednesday, March 31, 2004 16:31
To: Scott, Tyson C; Joseph D. Phillips; Group Study (E-mail)
Subject: RE: Access list
Sorry let me write that better
Access-list 1 deny x.x.1.2 0.0.2.24
Access-list 1 permit any
Regards,
Tyson Scott
Agilent Problem Management Team
Managed Network Services
Phone: 313-583-5812
Pager: 877-997-0811
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott, Tyson C
Sent: Wednesday, March 31, 2004 7:27 PM
To: Joseph D. Phillips; Group Study (E-mail)
Subject: RE: Access list
Then here is your answer if only the specific networks.
In binary it looks like:
1 2 00000001 00000010
1 10 00000001 00001010
1 18 00000001 00010010
1 26 00000001 00011010
3 2 00000011 00000010
3 10 00000011 00001010
3 18 00000011 00010010
3 26 00000011 00011010
1.2 2.24
This will match and nothing more
The logic is make the network statement the highest possible network
statement. Then the and/or logic is the bits 8 and 16. As you can see
the listed subnets use every combination of bits 8 and 16
Read the document again and again. It took me a while to understand it.
Regards,
Tyson Scott
Agilent Problem Management Team
Managed Network Services
Phone: 313-583-5812
Pager: 877-997-0811
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joseph D. Phillips
Sent: Wednesday, March 31, 2004 7:08 PM
To: Group Study (E-mail)
Subject: Access list
Yeah, I read that first before posting. It doesn't help because it only
describes how to summarize two or more networks into one statement,
irrespective of which networks might also be affected.
I understand the concept of ANDing and XORing, but I don't know which
lines to group together.
-----Original Message-----
From: Scott, Tyson C [mailto:tyson.scott@hp.com]
Sent: Wednesday, March 31, 2004 16:05
To: Joseph D. Phillips
Subject: RE: Access list
http://www.internetworkexpert.com/resources/01700370.htm
Use this link. This is how I began to understand the concept
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joseph D. Phillips
Sent: Wednesday, March 31, 2004 6:52 PM
To: Group Study (E-mail)
Subject: Access list
I've spent the entire afternoon on a single access list and still can't
figure out the logic. I've looked up articles, and converted everything
to binary and still can't make sense of this.
Given the following networks (last two octets relevant), I need to block
them all in as few lines as possible. Some of you people can do this in
your heads. Simpletons like me, however, can't.
These are the networks:
1.2
1.10
1.18
1.26
3.2
3.10
3.18
3.26
In binary it looks like:
1 2 00000001 00000010
1 10 00000001 00001010
1 18 00000001 00010010
1 26 00000001 00011010
3 2 00000011 00000010
3 10 00000011 00001010
3 18 00000011 00010010
3 26 00000011 00011010
What do I do after that? I know how to summarize them all into one
statement, but I need specific deny statements that only apply to the
networks to be blocked and to none else.
This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:50 GMT-3