RE: access-list question

From: Scott Morris (swm@emanon.com)
Date: Tue Apr 20 2004 - 16:27:42 GMT-3

• Next message: Bill Lijewski: "RE: boot camp again :) [bcc][faked-from]"
• Previous message: David Hurtado: "Re: DLSW Destination MAC address filtering"
• Maybe in reply to: Bayraktar, Ersoy: "access-list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The .8 for a mask would only allow variants on the one bit (in the 8
position).

.7, which I assume you meant, would cover from .0 through .7, but would not
include .8. the XOR part helps determine what is indeed different and you
can further group things from there. But working bit by bit gives you the
most accurate answers. It also helps you learn the excitement of counting
to 1. :)

Scott

-----Original Message-----
From: Sam [mailto:samccie2004@yahoo.co.uk]
Sent: Tuesday, April 20, 2004 1:49 PM
To: swm@emanon.com; 'Bayraktar, Ersoy'
Cc: ccielab@groupstudy.com
Subject: RE: access-list question

I agree !

I was not sure whether I should use XOR result or cut it down to 192.168.0.0
0.0.8.0. If the latter is correct, why is XOR not coming up with the best
match in terms of not including too many subnets.

I guess, I am thinking about a scenario that would require one ACL with
minimum "wasted" subnets.

Thanks in advance

Sam

-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: 20 April 2004 20:43
To: samccie2004@yahoo.co.uk; 'Bayraktar, Ersoy'
Cc: ccielab@groupstudy.com
Subject: RE: access-list question

That would be a correct mask... But it would also match 0, 9, 10 and 11.

Sooo....

If we're taking the path of allowing extra networks anyway, why not take the
easy way and just forget the XORing and pick the sliding mask. 192.168.0.0
0.0.15.0? Same logic, easier for most people to see that bit boundary idea.

Be specific. If it requires you to do it in one statement, it will tell you
that. If it just says as few as possible, be specific.

Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net

-----Original Message-----
From: Sam [mailto:samccie2004@yahoo.co.uk]
Sent: Tuesday, April 20, 2004 1:13 PM
To: Scott Morris; 'Bayraktar, Ersoy'
Cc: ccielab@groupstudy.com
Subject: RE: access-list question

Applying a logicak XOR, would the below be correct ?

1 0000 0001
2 0000 0010
3 0000 0011
8 0000 1000
-----------------
        0000 1011

Resulting in 192.168.0.0 0.0.11.0. Is this correct ?

Thanks

Sam

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Scott
Morris
Sent: 20 April 2004 16:51
To: 'Bayraktar, Ersoy'
Cc: ccielab@groupstudy.com
Subject: RE: access-list question

To permit no extra nets, the minimum number of statements would be three.

1.0 by itself, 2.0 with a mask of 0.0.1.0 (catching 2 and 3) and 8.0 by
itself.
You can also deny 0.0 individually, permit 0.0 with mask of 0.0.3.0
(catching 0 to 3) and 8.0 by itself.

Anything else would permit more networks. Always check the number of bits
set to 1 in your mask. 2^x yields the number of matches that your mask will
match.

HTH,

Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Bayraktar, Ersoy
Sent: Tuesday, April 20, 2004 9:38 AM
To: swm@emanon.com
Cc: ccielab@groupstudy.com
Subject: RE: access-list question

It is asking to use the minimum number of configuration statements.

-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Tuesday, April 20, 2004 5:31 PM
To: Bayraktar, Ersoy; ccielab@groupstudy.com
Subject: RE: access-list question

I just re-read your nets...

1.0 00000001
2.0 00000010
3.0 00000011
8.0 00001000
        ^ ^^

There are three bits of difference between these three. Three bits of
difference in the mask (2^3) will yield 8 matches to your ACL. So you can't
put them all in a single mask. You'll get too many extra networks coming
in. Watch the wording on your lab, but be specific.

Oftentimes you'll see "in as few routes as possible", but when you see that,
it doesn't mean to allow extra networks. If you were going to do that, just
permit 0.0.0.0 255.255.255.255, because that will certainly cover any of the
nets you have. :)

HTH,

Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Bayraktar, Ersoy
Sent: Tuesday, April 20, 2004 9:14 AM
To: ccielab@groupstudy.com
Subject: access-list question

Hi group,

How come the access-list 1 pemit 192.168.4.0 0.0.3.0 means permit
192.168.1.0,192.168.2.0,192.168.3.0 and 192.168.8.0. I couldn't find a good
document for such subnetting.

Thanks

• Next message: Bill Lijewski: "RE: boot camp again :) [bcc][faked-from]"
• Previous message: David Hurtado: "Re: DLSW Destination MAC address filtering"
• Maybe in reply to: Bayraktar, Ersoy: "access-list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:51 GMT-3