RE: Not so dumb ACL question

From: Scott Morris (swm@emanon.com)
Date: Wed Jul 20 2005 - 15:27:43 GMT-3

If you are going to overpermit anyway, why would that be ok, yet "permit ip
any any" not be?

No cutting corners! This could be YOUR network you are protecting. :)

Scott
 

-----Original Message-----
From: Gustavo Novais [mailto:gustavo.novais@novabase.pt]
Sent: Wednesday, July 20, 2005 2:16 PM
To: swm@emanon.com; Kumar, Manoj; John Matus; lab
Subject: RE: Not so dumb ACL question

But would a solution on one line matching 8 subnets instead of only 6 on two
be acceptable?

I know it is not the optimal solution, but...

-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: quarta-feira, 20 de Julho de 2005 19:14
To: 'Kumar, Manoj'; 'John Matus'; Gustavo Novais; 'lab'
Subject: RE: Not so dumb ACL question

Yup.

The first line would have four matches, the second line having two matches.
All 6 nets would be permitted with no others.

Scott
 

-----Original Message-----
From: Kumar, Manoj [mailto:manoj.kumar@citigroup.com]
Sent: Wednesday, July 20, 2005 2:06 PM
To: Scott Morris; John Matus; Gustavo Novais; lab
Subject: RE: Not so dumb ACL question

Can the below do the job on this one:

ACCESS-LIST 33 PERMIT 168.192.3.0 0.16.8.255 access-list 33 permit
168.192.14.0 0.16.0.255

Regards,
Manoj

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Scott
Morris
Sent: Wednesday, July 20, 2005 5:05 PM
To: 'John Matus'; 'Gustavo Novais'; 'lab'
Subject: RE: Not so dumb ACL question

Subtracting is a short-cut! It ONLY works when the answer is an exponent of
2. It may not work when the value is 1.

When you subtracted 11 from 14 and the answer you got was 3, this is
incorrect. 3 will give you two bits of difference. That means there will
be 4 matches to your end result there! 2 to the 'x' power where 'x'
is the number of bits different (# of 1's in your mask) will always tell you
the number of matches to your statement.

So if you typed in:

Permit 168.192.11.0 0.16.3.255:

The router would rearrange it to:

Permit 168.192.8.0 0.16.3.255 and you will be permitting:

168.192.8.0
168.192.9.0
168.192.10.0
168.192.11.0
168.208.8.0
168.208.9.0
168.208.10.0
168.208.11.0

Which of course completely misses the 14 network and permits a whole bunch
of extra things! Working on individual bits by breaking your things into
binary is really the accurate way of doing it! When you summarize things
together you want to be sure to permit no more and no less networks than are
listed.

If you believe that over-summarizing is a good idea, then just go ahead and
'permit ip any any' and save yourself a lot of time! :)

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of John
Matus
Sent: Wednesday, July 20, 2005 2:38 AM
To: Gustavo Novais; lab
Subject: Re: Not so dumb ACL question

gustavo,
i could explain it the way i do it, but it is probably wrong in theory, but
in practice it has worked for me you want as few acl's as possible....<did
they say few, or 2?>
>168.192.3.0/24
> 168.192.11.0/24
> 168.192.14.0/24
> 168.208.3.0/24
> 168.208.11.0/24
> 168.208.14.0/24

what you want to do is look for patterns in the ip addresses, or
similarities
ok, look at the 2nd octed in the the first ip address....192.3 you
also
have a .208.3. 208-192=16. so your mask would be 16 for the second
octet....... looking at the 3rd octet, you can filter all address
between
.3 and .11 by using the mask .7 since 11-3.=8
so the first acl would be 168.192.3.0 0.16.3.255. now you just have
192.14

and 208.14 left. 208-192=16, and 14-14=0
so the second acl would be 168.192.14.0 0.16.0.255. it's just
simple adding and subtracking of the ip addresses. i'm guessing you could
have a different answer if you decided to filter the .192.3 with the 208.3,
and then the range of address between 192.11-14, and 208.11-14........so
this would be 168.192.3.0 0.16.0.255 168.192.11.0
0.16.3.255

at least this is the way i do it. the super ccie's of the group would
probably scoff at this approach for obvious reasons, but hey, if it
work.....

Regards,

John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "Gustavo Novais" <gustavo.novais@novabase.pt>
To: "lab" <ccielab@groupstudy.com>
Sent: Tuesday, July 19, 2005 5:23 PM
Subject: Not so dumb ACL question

> Hello
>
> One of those wonderful ACL questions. It came on IPexpert Lab23. I
> didn't understand how did they reach their results...
>
> Purpose: few lines as possible deny hosts on networks :
> 168.192.3.0/24
> 168.192.11.0/24
> 168.192.14.0/24
> 168.208.3.0/24
> 168.208.11.0/24
> 168.208.14.0/24
>
> Being that 192 is (b) 11000000 , 208 is (192+16) (b)11010000, 14 is
> (8+4+2) (b)00001110, 11 (8+2+1) (b) 00001011 and 3 (b) 00000011
>
> I did the following according to IE doc on ACL
>
> Second Byte
> 192 208
> NET = AND (11000000, 11010000) = 11000000 -> (d)192 MASK = XOR
> (11000000, 11010000) = 00010000 ->(d)16
>
> No problem here.
>
> Third Byte
> I thought that we could try and mix all three networks so
> 14 11 3
> NET=AND ( 00001110, 00001011, 00000011) = 00000010 = (d) 2 MASK =XOR
> (00001110, 00001011, 00000011) = 00001101 = (d) 13
>
> Leading to the result of ACL being 168.192.2.0 mask 0.16.13.255
>
> Their result was on two lines 168.192.3.0 MASK 0.16.8.255
> 168.192.14.0 MASK 0.16.0.255
>
> I tried mix and match to see how did they get there, but I only got
> confused... I understood that the first statement was derived by
> mixing third bytes 3 and 11 but I didn't understand the second
statement...
>
> Perhaps my brains just refuses to work, but please could any one
> explain to me why isn't my solution correct, for a LAB? (to much
> overlapping?)
>
> TIA
>
> Gustavo
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3