From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Thu Jul 21 2005 - 09:35:41 GMT-3
Great explanation!
Thank you
I've missed the aspect of matching (having 1's on my mask) exactly N
networks.
Thanks
Gustavo
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
marvin greenlee
Sent: quarta-feira, 20 de Julho de 2005 1:52
To: Gustavo Novais; lab
Subject: RE: Not so dumb ACL question [bcc][faked-from][bayes]
Start with the number of items in the group (six in this case).
To match just those values, you can't be exact in one line, since six is
not a binary boundary. The closest binary boundaries are 4 and 8. To
get six we could use (4 + 2) or (8 -2) if the networks fall just right.
Looking at the six, we have paired values for the second octet (192 and
208). These values are the same except for the 16 bit.
Looking at the third octet, we have 3, 11, and 14. 3 and 11 are the
same except for the 8 bit, and 14 is different in two other bits (1,4)
We can group the 192/208 and the 3/11 as a group of 4, since there are
two bits difference, and we have all four possible combinations.
168.192.3, 168.208.3, 168.192.11, 168.208.11
netw 168.192.3.0 mask 0.16.8.255
(Note the section is asking for HOSTS on these networks. If we were
just matching the networks as /24s for route updates, we could leave the
last octet as 0.)
The two .14s pair up.
168.192.14.0 0.16.0.255
Take a close look at your XOR. With a mask of 0.16.13 for the first
three octets, you are saying that you "don't care" about 4 bits (16 bit
in second octet, 1, 4, and 8 bits in the third octet). If you don't
care about 4 bits, then you are matching a total of 2^4 (16) address
values for the first three octets. This will match these six, but will
also match 10 more that you may not want to match.
Marvin Greenlee, CCIE#12237, CCSI# 30483 Network Learning Inc
marvin@ccbootcamp.com www.ccbootcamp.com (Cisco Training)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Gustavo Novais
Sent: Wednesday, July 20, 2005 11:52 PM
To: lab
Subject: Not so dumb ACL question [bcc][faked-from][bayes]
Importance: Low
Hello
One of those wonderful ACL questions. It came on IPexpert Lab23. I
didn't understand how did they reach their results...
Purpose: few lines as possible deny hosts on networks :
168.192.3.0/24
168.192.11.0/24
168.192.14.0/24
168.208.3.0/24
168.208.11.0/24
168.208.14.0/24
Being that 192 is (b) 11000000 , 208 is (192+16) (b)11010000, 14 is
(8+4+2) (b)00001110, 11 (8+2+1) (b) 00001011 and 3 (b) 00000011
I did the following according to IE doc on ACL
Second Byte
192 208
NET = AND (11000000, 11010000) = 11000000 -> (d)192 MASK = XOR
(11000000, 11010000) = 00010000 ->(d)16
No problem here.
Third Byte
I thought that we could try and mix all three networks so
14 11 3
NET=AND ( 00001110, 00001011, 00000011) = 00000010 = (d) 2 MASK =XOR
(00001110, 00001011, 00000011) = 00001101 = (d) 13
Leading to the result of ACL being 168.192.2.0 mask 0.16.13.255
Their result was on two lines 168.192.3.0 MASK 0.16.8.255
168.192.14.0 MASK 0.16.0.255
I tried mix and match to see how did they get there, but I only got
confused... I understood that the first statement was derived by mixing
third bytes 3 and 11 but I didn't understand the second statement...
Perhaps my brains just refuses to work, but please could any one explain
to me why isn't my solution correct, for a LAB? (to much overlapping?)
TIA
Gustavo
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3