RE: route filtering with wild-card mask
From: Scott Morris (swm@emanon.com)
Date: Fri Jun 10 2005 - 09:15:08 GMT-3
It's actually a XOR operation. But IHMO that explanation (while functional)
tends to be way more complicated than most people want to think about.
If you have those four routes, let's look at what is changing (third octet):
0 = 00000000
1 = 00000001
2 = 00000010
3 = 00000011
============
M = 000000xx <== Where changes occur (you don't care what the value is)
you'll put a '1' in the mask.
Mask of 00000011 when we translate back would be .3... So 30.1.0.0 to set
the original bits' starting position with a 0.0.3.0 mask gives you all four
of your entries.
With the even or odd thing, it's the least significant bit that dictates
whether a number is even or odd, so that's the one bit that CAN NOT change
(using a '0' in the mask).
Examples for even:
0 = 00000000
2 = 00000010
8 = 00001000
42 = 00101010
88 = 01011000
128 = 10000000
222 = 11011110
252 = 11111100
==============
Msk = 11111110
You don't care what the first 7 bits work out to be, but that last bit MUST
remain what it started out as.
I think part of the problem is the explanations everyone is given about what
an ACL does when they're doing CCNA-type stuff. We're always told that it's
"network" and "mask" in the ACL, and while yes, that's correct, that's not
REALLY what it is.
The "network" part we've always come to know is simply a starting bit
position. So that is used to SET the original bits which the mask is then
applied to. When we start working with more abnormal masks here it's time
to abandon that concept of "network" and look at it as the starting point.
HTH,
Scott
-----Original Message-----
From: John Matus [mailto:john_matus@hotmail.com]
Sent: Friday, June 10, 2005 12:25 AM
To: swm@emanon.com; noble@inserviceindia.com; ccielab@groupstudy.com
Subject: RE: route filtering with wild-card mask
hey, ok, wait on second.........with reagards to that "and'ing" operation
you did below
>30.1.0.0 = 00011110.00000001.00000000.00000000 as the starting point.
> 0.0.1.0 = 00000000.00000000.00000001.00000000 as the mask to apply to
>those
should't the result be
00011110.00000001.00000001.00000000?
sh@t, i'm loosing my grasp on this. the way i learned how to filter odd and
even routes was that if you just consider the least significant bit, the
one's bit, it will always be "off", and an odd number will always have the
one's bit "on". so if you have the routes:
30.1.0.0
30.1.1.0
30.1.2.0
30.1.3.0
and you wanted to filter out all of the odd routes you would create a mask
that only filters that last bit, the least significant bit, which would be
".254" in regular mask format, or .1 in wildcard mask format. so the acl to
deny all odd routes in the 3rd octet would be
deny 30.1.1.0 0.0.1.0,
or to deny the even routes you would use deny 30.1.0.0 0.0.1.0.....
yeah?
>From: "Scott Morris" <swm@emanon.com>
>Reply-To: <swm@emanon.com>
>To: "'John Matus'"
><john_matus@hotmail.com>,<noble@inserviceindia.com>,<ccielab@groupstudy
>.com>
>Subject: RE: route filtering with wild-card mask
>Date: Thu, 9 Jun 2005 23:28:05 -0400
>
>Not really... Sorry that was more confusing! (have caffeine, or if
>already had too much, try alcohol!)
>
>A "1" in the wildcard means that you don't care what that bit value is.
>
>Remember that these are octets, so your 0.0.1.0 really means
>00000000.00000000.00000001.00000000 as the mask. And in that ONE
>particular position that you have a "1" value, you could care less what
>the value is.
>Every other bit must remain the same.
>
>The router sees:
>
>30.1.0.0 = 00011110.00000001.00000000.00000000 as the starting point.
> 0.0.1.0 = 00000000.00000000.00000001.00000000 as the mask to apply to
>those starting bits.
>==============================================
>Result = 00011110.00000001.0000000x.00000000 where 'x' can be a 0 or a 1.
>Converting back, that would give you 30.1.0.0 and 30.1.1.0 as the
>possible matches.
>
>Think like the router does! The router sees 32 bits in a row, it
>doesn't care where those bits fall as far as the mask is concerned.
>
>Does that help? (if not, try more alcohol)
>
>;)
>
>Scott
>
>
>-----Original Message-----
>From: John Matus [mailto:john_matus@hotmail.com]
>Sent: Thursday, June 09, 2005 11:21 PM
>To: swm@emanon.com; noble@inserviceindia.com; ccielab@groupstudy.com
>Subject: RE: route filtering with wild-card mask
>
>krud.....actually that was almost more confusing to me than
>helpful.....but perhaps that's b/c i just got off of work :) so you're
saying -
>access-list 1 deny 30.1.0.0 0.0.1.0 means that the 3rd bit can be
>anything....
>and
>access-list deny 30.1.0.0 0.0.0.0 matches the 3rd bit exactly, which
>is even?....
>
>so then it is the best approach to permit even routes in the 3rd octet
>to
>use:
>
>permit 30.1.0.0 0.0.0.0
>
>and the best way to permit only the odd routes would be to use:
>deny 30.1.0.0 0.0.0.0
>permit 30.1.0.0 0.0.1.0 ? is this correct scott?
>
> >From: "Scott Morris" <swm@emanon.com>
> >Reply-To: <swm@emanon.com>
> >To: "'John Matus'"
> ><john_matus@hotmail.com>,<noble@inserviceindia.com>,<ccielab@groupstu
> >dy
> >.com>
> >Subject: RE: route filtering with wild-card mask
> >Date: Wed, 8 Jun 2005 08:56:43 -0400
> >
> >Remember that a "1" bit in the wildcard mask means that you don't
> >care what the value it. "0" bit means that it must stay the same...
> >
> >So let's look at your third octet:
> >
> >00000000 ==> This is what you are setting the starting bits there.
> >00000001 ==> This is the mask you are using. (0.0.1.255) ========
> >0000000x ==> This is what you'll end up with. So a 0 or 1 can be
> >in that least significant bit position there, which means 0 or 1 are
> >the two values.
> >Obviously one of those is even, one is odd.
> >
> >To get all even or odd numbers, you need to make sure that the least
> >significant bit does NOT change ("0" in the wildcard mask). Anything
> >else, you don't care about.
> >
> >So:
> >
> >00000000 ==> Starting point
> >11111110 ==> Mask
> >========
> >Xxxxxxx0 ==> This will give you all EVEN networks since you started
> >with an even number. Change to the 31.1.1.0 starting point and the
> >same mask to get all ODD networks.
> >
> >HTH,
> >
> >Scott
> >
> >
> >-----Original Message-----
> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> >Of John Matus
> >Sent: Wednesday, June 08, 2005 2:29 AM
> >To: noble@inserviceindia.com; ccielab@groupstudy.com
> >Subject: RE: route filtering with wild-card mask
> >
> >noble........from what i remember reading that does make
> >sense......like i said, you are matching anything in the third octed
> >with the least significant bit turned on <for odd>.......but i was
> >doing a lab last week and it worked just the oposite as
> >expected.....hence my question. it's perplexing. i wonder if anyone
> >else has had a similar experience with "deny 30.1.0.0 0.0.1.255'
> >denying the "even" routes instead of the odd
> >
> >john
> >
> > >From: "T. N. Noble" <noble@inserviceindia.com>
> > >To: "'John Matus'"
> > ><john_matus@hotmail.com>,<ccielab@groupstudy.com>
> > >Subject: RE: route filtering with wild-card mask
> > >Date: Wed, 8 Jun 2005 08:44:16 +0300
> > >
> > >I have a different understanding of your question. "DENY ANYTHING
> > >WITH
> >ODD
> > >3rd OCTET" may be looked at based on the provided networks / all
> >networks.
> > >
> > >If it is based on the provided network, then I believe that the ACL
> > >"access-list 1 deny 30.1.0.0 0.0.1.255" is more correct.
> > >
> > >Further if it is looked up on based on all the networks then the
> > >ACL
> >"deny
> > >30.1.0.0 0.0.1.0" may be correct.
> > >
> > >I may be wrong but was trying to put my interpretation of your
>question.
> > >
> > >Thanks,
> > >
> > >Noble
> > >
> > >
> > >-----Original Message-----
> > >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > >Behalf Of John Matus
> > >Sent: 08 June 2005 07:57
> > >To: ccielab@groupstudy.com
> > >Subject: route filtering with wild-card mask
> > >
> > >ok,
> > >you have networks 30.1.1.0 and 30.1.2.0. you want to deny anything
> >with
> > >an odd 3rd octed
> > >
> > >now, i alway thought that you the access-list should be:
> > >
> > >access-list 1 deny 30.1.0.0 0.0.1.255 since you are matching
>anything
> > >with the last bit set to 1,
> > >or
> > >to deny any thing even you should use:
> > >
> > >access-list 1 deny 30.1.0.0 0.0.255.255 since only numbers with the
> > >least significant bit set to zero are even................but
> > >lately when i've been configuring offset-lists my findings have
> > >been just the opposite as anticipated....
> > >
> > >it this correct?
> > >
> > >as a side note, in the 1st example you can actually use "deny 30.1.0.0
> > >0.0.1.0" yeah? since you don't need to match the 1, 2, or 4th bit
><?>
> > >
> > >just trying to get my fact nailed down!
> > >
> > >tia
> > >
> > >_________________________________________________________________
> > >Don�t just search. Find. Check out the new MSN Search!
> > >http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> > >
> > >___________________________________________________________________
> > >__ __ Subscription information may be found at:
> > >http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >_________________________________________________________________
> >Don�t just search. Find. Check out the new MSN Search!
> >http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> >
> >_____________________________________________________________________
> >__ Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
> >
>
>_________________________________________________________________
>FREE pop-up blocking with the new MSN Toolbar - get it now!
>http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
This archive was generated by hypermail 2.1.4
: Wed Jul 06 2005 - 14:43:41 GMT-3