From: John Matus (jmatus@pacbell.net)
Date: Wed Jul 20 2005 - 03:38:19 GMT-3
gustavo,
i could explain it the way i do it, but it is probably wrong in theory, but
in practice it has worked for me
you want as few acl's as possible....<did they say few, or 2?>
>168.192.3.0/24
> 168.192.11.0/24
> 168.192.14.0/24
> 168.208.3.0/24
> 168.208.11.0/24
> 168.208.14.0/24
what you want to do is look for patterns in the ip addresses, or
similarities
ok, look at the 2nd octed in the the first ip address....192.3 you also
have a .208.3. 208-192=16. so your mask would be 16 for the second
octet....... looking at the 3rd octet, you can filter all address between
.3 and .11 by using the mask .7 since 11-3.=8
so the first acl would be 168.192.3.0 0.16.3.255. now you just have 192.14
and 208.14 left. 208-192=16, and 14-14=0
so the second acl would be 168.192.14.0 0.16.0.255. it's just
simple adding and subtracking of the ip addresses. i'm guessing you could
have a different answer if you decided to filter the .192.3 with the 208.3,
and then the range of address between 192.11-14, and 208.11-14........so
this would be
168.192.3.0 0.16.0.255
168.192.11.0 0.16.3.255
at least this is the way i do it. the super ccie's of the group would
probably scoff at this approach for obvious reasons, but hey, if it
work.....
Regards,
John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "Gustavo Novais" <gustavo.novais@novabase.pt>
To: "lab" <ccielab@groupstudy.com>
Sent: Tuesday, July 19, 2005 5:23 PM
Subject: Not so dumb ACL question
> Hello
>
> One of those wonderful ACL questions. It came on IPexpert Lab23. I
> didn't understand how did they reach their results...
>
> Purpose: few lines as possible deny hosts on networks :
> 168.192.3.0/24
> 168.192.11.0/24
> 168.192.14.0/24
> 168.208.3.0/24
> 168.208.11.0/24
> 168.208.14.0/24
>
> Being that 192 is (b) 11000000 , 208 is (192+16) (b)11010000, 14 is
> (8+4+2) (b)00001110, 11 (8+2+1) (b) 00001011 and 3 (b) 00000011
>
> I did the following according to IE doc on ACL
>
> Second Byte
> 192 208
> NET = AND (11000000, 11010000) = 11000000 -> (d)192
> MASK = XOR (11000000, 11010000) = 00010000 ->(d)16
>
> No problem here.
>
> Third Byte
> I thought that we could try and mix all three networks so
> 14 11 3
> NET=AND ( 00001110, 00001011, 00000011) = 00000010 = (d) 2
> MASK =XOR (00001110, 00001011, 00000011) = 00001101 = (d) 13
>
> Leading to the result of ACL being 168.192.2.0 mask 0.16.13.255
>
> Their result was on two lines 168.192.3.0 MASK 0.16.8.255
> 168.192.14.0 MASK 0.16.0.255
>
> I tried mix and match to see how did they get there, but I only got
> confused... I understood that the first statement was derived by mixing
> third bytes 3 and 11 but I didn't understand the second statement...
>
> Perhaps my brains just refuses to work, but please could any one explain
> to me why isn't my solution correct, for a LAB? (to much overlapping?)
>
> TIA
>
> Gustavo
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3