From: marvin greenlee (marvin@ccbootcamp.com)
Date: Tue Jul 19 2005 - 21:52:13 GMT-3
Start with the number of items in the group (six in this case).
To match just those values, you can't be exact in one line, since six is not
a binary boundary. The closest binary boundaries are 4 and 8. To get six
we could use (4 + 2) or (8 -2) if the networks fall just right.
Looking at the six, we have paired values for the second octet (192 and
208). These values are the same except for the 16 bit.
Looking at the third octet, we have 3, 11, and 14. 3 and 11 are the same
except for the 8 bit, and 14 is different in two other bits (1,4)
We can group the 192/208 and the 3/11 as a group of 4, since there are two
bits difference, and we have all four possible combinations.
168.192.3, 168.208.3, 168.192.11, 168.208.11
netw 168.192.3.0 mask 0.16.8.255
(Note the section is asking for HOSTS on these networks. If we were just
matching the networks as /24s for route updates, we could leave the last
octet as 0.)
The two .14s pair up.
168.192.14.0 0.16.0.255
Take a close look at your XOR. With a mask of 0.16.13 for the first three
octets, you are saying that you "don't care" about 4 bits (16 bit in second
octet, 1, 4, and 8 bits in the third octet). If you don't care about 4
bits, then you are matching a total of 2^4 (16) address values for the first
three octets. This will match these six, but will also match 10 more that
you may not want to match.
Marvin Greenlee, CCIE#12237, CCSI# 30483
Network Learning Inc
marvin@ccbootcamp.com
www.ccbootcamp.com (Cisco Training)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Gustavo Novais
Sent: Wednesday, July 20, 2005 11:52 PM
To: lab
Subject: Not so dumb ACL question [bcc][faked-from][bayes]
Importance: Low
Hello
One of those wonderful ACL questions. It came on IPexpert Lab23. I
didn't understand how did they reach their results...
Purpose: few lines as possible deny hosts on networks :
168.192.3.0/24
168.192.11.0/24
168.192.14.0/24
168.208.3.0/24
168.208.11.0/24
168.208.14.0/24
Being that 192 is (b) 11000000 , 208 is (192+16) (b)11010000, 14 is
(8+4+2) (b)00001110, 11 (8+2+1) (b) 00001011 and 3 (b) 00000011
I did the following according to IE doc on ACL
Second Byte
192 208
NET = AND (11000000, 11010000) = 11000000 -> (d)192
MASK = XOR (11000000, 11010000) = 00010000 ->(d)16
No problem here.
Third Byte
I thought that we could try and mix all three networks so
14 11 3
NET=AND ( 00001110, 00001011, 00000011) = 00000010 = (d) 2
MASK =XOR (00001110, 00001011, 00000011) = 00001101 = (d) 13
Leading to the result of ACL being 168.192.2.0 mask 0.16.13.255
Their result was on two lines 168.192.3.0 MASK 0.16.8.255
168.192.14.0 MASK 0.16.0.255
I tried mix and match to see how did they get there, but I only got
confused... I understood that the first statement was derived by mixing
third bytes 3 and 11 but I didn't understand the second statement...
Perhaps my brains just refuses to work, but please could any one explain
to me why isn't my solution correct, for a LAB? (to much overlapping?)
TIA
Gustavo
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3