Re: Most efficient ACL to match multiple networks - easier way?

From: PhiL (theccie@gmail.com)
Date: Sun Jun 04 2006 - 20:30:23 ART

Larry,

Actually, in your fist example you can use only one ACL entry: 192.168.0.0
0.0.11.255

On 6/4/06, Larry Chuon <lchuon@gmail.com> wrote:
>
> I'm so bad at subnetting. Now, I sort of find a way that works for me.
> Let's say you have the following networks in your routing table:
> 198.168.0.0
> 198.168.1.0
> 198.168.2.0
> 198.168.3.0
> 198.168.8.0
> 198.168.9.0
> 198.168.10.0
> 198.168.11.0
>
> 1) use only two ACLs
> a) Look at the pattern 0-3 & 8-11 are complete binary sets which are two
> bits
> b) If you are uncomfortable with that, quickly write them out as such
> 00000000
> 00000001
> 00000010
> 00000011
> --------------
> 00001000
> 00001001
> 00001010
> 00001011
>
> Now look from right to left and find the most bits in common. The above
> examples, I see the first two bits which add up to 3. Therefore the
> wildcard mask would be 0.0.3.255.
> c) if you AND the above binaries, you'll get 00000011. That is also 3.
>
> Now, take the base (0 and 8) and write them out such as 198.168.0.0
> 0.0.3.255 and 198.168.8.0 0.0.3.255. To practice, I would obtain an IP
> calculator and test our a whole bunch to ensure that my math is correct.
>
> 2) If you only want selective networks, the best way is to use AND and
> XOR.
> For example:
>
> I want only:
> 198.168.1.0
> 198.168.5.0
>
> convert the third octet to binary
> 00000001
> 00000101
> -------------
> 00000100 AND
> 00000000 invert the mask /24
> -------------
> 00000100 XOR which gives you 4 as wildcard mask
>
> Your ACL would look like this: 198.168.1.0 0.0.4.255
>
> 3) Let's say your mask is /24 and you want 3 and 7 network
> 00000011 base
> 00000111
> -------------
> 00000100 AND
> 00000000 invert the mask /24
> -------------
> 00000100 XOR which gives you 198.168.3.0 0.0.4.255
>
> Like I said, I used to have problem with this. If anybody found any flaw,
> please let me know.
>
> Larry
>
> On 6/4/06, Elias Chari <elias.chari@gmail.com> wrote:
> >
> > Hi,
> >
> > may be the question objective should be clearer. It was in the context
> of
> > filtering routing updates.
> >
> > (1) use one line acl to allow the networks
> > (therefore does not require .255 in the last octet as you are filtering
> on
> > routing updates and not host traffic)
> >
> > (2) Do not care about overlapping networks....
> >
> >
> > On 6/4/06, PhiL <theccie@gmail.com> wrote:
> > >
> > > Actually,
> > >
> > > In your Example 1 you are allowing third octets from 0 to 7 and this
> is
> > > more than the 2 subnets (54.1.1.0 and 150.1.6.0) you want to filter.
> In
> > > this case you would not use 1 line for both but you would need one
> entry
> > for
> > > each of the networks. Also, your last octet wildcard should be 255
> > instead
> > > of 0 to allow/deny all the hosts (assuming the 2 original subnets are
> > /24).
> > >
> > >
> > > On 6/4/06, Elias Chari <elias.chari@gmail.com > wrote:
> > > >
> > > > Faryar,
> > > >
> > > > It is not meant to solve all your acl scenarios, but if you get 3 or
> 4
> > > > networks then it can get messy using binary. My brain works better
> in
> > > > decimal...-)
> > > >
> > > > In any case I worked it out using only decimal numbers, as per my
> > > > previous
> > > > post.
> > > >
> > > > Regards,
> > > > Elias
> > > >
> > > >
> > > > On 6/4/06, Faryar Zabihi (fzabihi) < fzabihi@cisco.com> wrote:
> > > > >
> > > > > Way too complicated. Just think about the networks you need to
> > > > include.
> > > > > See what octets you need to work on. Then just wildcard is the
> > > > > difference in that octet(from first network to last). Make sure
> you
> > > > can
> > > > > actually use one statement to do this. Sometime you would need to
> > > > > blocks. Take the mcast range for example. How can you include
> all
> > in
> > > > > one ACL?
> > > > > I have never run across too complicated of a scenario for this not
> > to
> > > > > work, but you can definitely get an ugly one. Just make sure you
> > > > think
> > > > > about it. Bit manipulation can be a biotch and time consuming as
> > you
> > > > > pointed out.
> > > > > This probably doesn't make sense..but it has worked for me
> > > > > everytime...well I did fail the lab but I don't think it was ACLS
> > > > >
> > > > > Faryar
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On
> > Behalf
> > > > Of
> > > > > elias.chari@gmail.com
> > > > > Sent: Sunday, June 04, 2006 12:29 PM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: Most efficient ACL to match multiple networks - easier
> way?
> > > > >
> > > > > Hi Group,
> > > > >
> > > > > I guess you have all come across a requirement to match multiple
> > > > > networks with a one line ACL.
> > > > >
> > > > > I understand the theory i.e AND operation to get the network part
> > and
> > > > > X-OR for the wildcard. Now writting out all the networks in binary
> > and
> > > > > doing the operations is time consuming and quite easy to make a
> > > > mistake
> > > > > when under pressure.
> > > > >
> > > > > I have tried to work it out using the AND and X-OR functions on
> the
> > MS
> > > >
> > > > > calculator and whilst it woks ok for the AND operation for
> multiple
> > > > > networks, it fails on the X-OR function as it does a comparison of
> > two
> > > >
> > > > > networks at at time.
> > > > >
> > > > > Has anybody worked out how to get the calculator to compare
> multiple
> > > > > numbers using the X-OR function?
> > > > >
> > > > > BTW it works for AND when using the networks in decimal
> format...-)
> > > > >
> > > > > If we crack this, it could potentially save us quite a bit of
> time.
> > > > >
> > > > > Regards,
> > > > > Elias
> > > > > PS - The equation for an X-OR gate (for those not familiar with it
> > and
> > > > > may be interested) is:
> > > > > __
> > > > > Y = (A+B)(AB)
> > > > >
> > > > >
> > > >
> > _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > >
> > > PhiL
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> 

-- 
Regards,

PhiL

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:32 ART