From: Elias Chari (elias.chari@gmail.com)
Date: Sun Jun 04 2006 - 16:33:37 ART
Hi,
may be the question objective should be clearer. It was in the context of
filtering routing updates.
(1) use one line acl to allow the networks
(therefore does not require .255 in the last octet as you are filtering on
routing updates and not host traffic)
(2) Do not care about overlapping networks....
On 6/4/06, PhiL <theccie@gmail.com> wrote:
>
> Actually,
>
> In your Example 1 you are allowing third octets from 0 to 7 and this is
> more than the 2 subnets (54.1.1.0 and 150.1.6.0) you want to filter. In
> this case you would not use 1 line for both but you would need one entry for
> each of the networks. Also, your last octet wildcard should be 255 instead
> of 0 to allow/deny all the hosts (assuming the 2 original subnets are /24).
>
>
> On 6/4/06, Elias Chari <elias.chari@gmail.com > wrote:
> >
> > Faryar,
> >
> > It is not meant to solve all your acl scenarios, but if you get 3 or 4
> > networks then it can get messy using binary. My brain works better in
> > decimal...-)
> >
> > In any case I worked it out using only decimal numbers, as per my
> > previous
> > post.
> >
> > Regards,
> > Elias
> >
> >
> > On 6/4/06, Faryar Zabihi (fzabihi) < fzabihi@cisco.com> wrote:
> > >
> > > Way too complicated. Just think about the networks you need to
> > include.
> > > See what octets you need to work on. Then just wildcard is the
> > > difference in that octet(from first network to last). Make sure you
> > can
> > > actually use one statement to do this. Sometime you would need to
> > > blocks. Take the mcast range for example. How can you include all in
> > > one ACL?
> > > I have never run across too complicated of a scenario for this not to
> > > work, but you can definitely get an ugly one. Just make sure you
> > think
> > > about it. Bit manipulation can be a biotch and time consuming as you
> > > pointed out.
> > > This probably doesn't make sense..but it has worked for me
> > > everytime...well I did fail the lab but I don't think it was ACLS
> > >
> > > Faryar
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On Behalf
> > Of
> > > elias.chari@gmail.com
> > > Sent: Sunday, June 04, 2006 12:29 PM
> > > To: ccielab@groupstudy.com
> > > Subject: Most efficient ACL to match multiple networks - easier way?
> > >
> > > Hi Group,
> > >
> > > I guess you have all come across a requirement to match multiple
> > > networks with a one line ACL.
> > >
> > > I understand the theory i.e AND operation to get the network part and
> > > X-OR for the wildcard. Now writting out all the networks in binary and
> > > doing the operations is time consuming and quite easy to make a
> > mistake
> > > when under pressure.
> > >
> > > I have tried to work it out using the AND and X-OR functions on the MS
> >
> > > calculator and whilst it woks ok for the AND operation for multiple
> > > networks, it fails on the X-OR function as it does a comparison of two
> >
> > > networks at at time.
> > >
> > > Has anybody worked out how to get the calculator to compare multiple
> > > numbers using the X-OR function?
> > >
> > > BTW it works for AND when using the networks in decimal format...-)
> > >
> > > If we crack this, it could potentially save us quite a bit of time.
> > >
> > > Regards,
> > > Elias
> > > PS - The equation for an X-OR gate (for those not familiar with it and
> > > may be interested) is:
> > > __
> > > Y = (A+B)(AB)
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Regards,
>
>
> PhiL
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:32 ART