From: Larry Chuon (lchuon@gmail.com)
Date: Sun Jun 04 2006 - 19:04:58 ART
I'm so bad at subnetting. Now, I sort of find a way that works for me.
Let's say you have the following networks in your routing table:
198.168.0.0
198.168.1.0
198.168.2.0
198.168.3.0
198.168.8.0
198.168.9.0
198.168.10.0
198.168.11.0
1) use only two ACLs
a) Look at the pattern 0-3 & 8-11 are complete binary sets which are two
bits
b) If you are uncomfortable with that, quickly write them out as such
00000000
00000001
00000010
00000011
--------------
00001000
00001001
00001010
00001011
Now look from right to left and find the most bits in common. The above
examples, I see the first two bits which add up to 3. Therefore the
wildcard mask would be 0.0.3.255.
c) if you AND the above binaries, you'll get 00000011. That is also 3.
Now, take the base (0 and 8) and write them out such as 198.168.0.0
0.0.3.255 and 198.168.8.0 0.0.3.255. To practice, I would obtain an IP
calculator and test our a whole bunch to ensure that my math is correct.
2) If you only want selective networks, the best way is to use AND and XOR.
For example:
I want only:
198.168.1.0
198.168.5.0
convert the third octet to binary
00000001
00000101
-------------
00000100 AND
00000000 invert the mask /24
-------------
00000100 XOR which gives you 4 as wildcard mask
Your ACL would look like this: 198.168.1.0 0.0.4.255
3) Let's say your mask is /24 and you want 3 and 7 network
00000011 base
00000111
-------------
00000100 AND
00000000 invert the mask /24
-------------
00000100 XOR which gives you 198.168.3.0 0.0.4.255
Like I said, I used to have problem with this. If anybody found any flaw,
please let me know.
Larry
On 6/4/06, Elias Chari <elias.chari@gmail.com> wrote:
>
> Hi,
>
> may be the question objective should be clearer. It was in the context of
> filtering routing updates.
>
> (1) use one line acl to allow the networks
> (therefore does not require .255 in the last octet as you are filtering on
> routing updates and not host traffic)
>
> (2) Do not care about overlapping networks....
>
>
> On 6/4/06, PhiL <theccie@gmail.com> wrote:
> >
> > Actually,
> >
> > In your Example 1 you are allowing third octets from 0 to 7 and this is
> > more than the 2 subnets (54.1.1.0 and 150.1.6.0) you want to filter. In
> > this case you would not use 1 line for both but you would need one entry
> for
> > each of the networks. Also, your last octet wildcard should be 255
> instead
> > of 0 to allow/deny all the hosts (assuming the 2 original subnets are
> /24).
> >
> >
> > On 6/4/06, Elias Chari <elias.chari@gmail.com > wrote:
> > >
> > > Faryar,
> > >
> > > It is not meant to solve all your acl scenarios, but if you get 3 or 4
> > > networks then it can get messy using binary. My brain works better in
> > > decimal...-)
> > >
> > > In any case I worked it out using only decimal numbers, as per my
> > > previous
> > > post.
> > >
> > > Regards,
> > > Elias
> > >
> > >
> > > On 6/4/06, Faryar Zabihi (fzabihi) < fzabihi@cisco.com> wrote:
> > > >
> > > > Way too complicated. Just think about the networks you need to
> > > include.
> > > > See what octets you need to work on. Then just wildcard is the
> > > > difference in that octet(from first network to last). Make sure you
> > > can
> > > > actually use one statement to do this. Sometime you would need to
> > > > blocks. Take the mcast range for example. How can you include all
> in
> > > > one ACL?
> > > > I have never run across too complicated of a scenario for this not
> to
> > > > work, but you can definitely get an ugly one. Just make sure you
> > > think
> > > > about it. Bit manipulation can be a biotch and time consuming as
> you
> > > > pointed out.
> > > > This probably doesn't make sense..but it has worked for me
> > > > everytime...well I did fail the lab but I don't think it was ACLS
> > > >
> > > > Faryar
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On
> Behalf
> > > Of
> > > > elias.chari@gmail.com
> > > > Sent: Sunday, June 04, 2006 12:29 PM
> > > > To: ccielab@groupstudy.com
> > > > Subject: Most efficient ACL to match multiple networks - easier way?
> > > >
> > > > Hi Group,
> > > >
> > > > I guess you have all come across a requirement to match multiple
> > > > networks with a one line ACL.
> > > >
> > > > I understand the theory i.e AND operation to get the network part
> and
> > > > X-OR for the wildcard. Now writting out all the networks in binary
> and
> > > > doing the operations is time consuming and quite easy to make a
> > > mistake
> > > > when under pressure.
> > > >
> > > > I have tried to work it out using the AND and X-OR functions on the
> MS
> > >
> > > > calculator and whilst it woks ok for the AND operation for multiple
> > > > networks, it fails on the X-OR function as it does a comparison of
> two
> > >
> > > > networks at at time.
> > > >
> > > > Has anybody worked out how to get the calculator to compare multiple
> > > > numbers using the X-OR function?
> > > >
> > > > BTW it works for AND when using the networks in decimal format...-)
> > > >
> > > > If we crack this, it could potentially save us quite a bit of time.
> > > >
> > > > Regards,
> > > > Elias
> > > > PS - The equation for an X-OR gate (for those not familiar with it
> and
> > > > may be interested) is:
> > > > __
> > > > Y = (A+B)(AB)
> > > >
> > > >
> > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >
> >
> > --
> > Regards,
> >
> >
> > PhiL
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:32 ART