From: Faryar Zabihi \(fzabihi\) (fzabihi@cisco.com)
Date: Sun Jun 04 2006 - 20:48:33 ART
You are matching .4 .5 .6 .7 as well with the one ACL...just FYI
Faryar
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
PhiL
Sent: Sunday, June 04, 2006 6:30 PM
To: Larry Chuon
Cc: Elias Chari; ccielab@groupstudy.com
Subject: Re: Most efficient ACL to match multiple networks - easier way?
Larry,
Actually, in your fist example you can use only one ACL entry:
192.168.0.0
0.0.11.255
On 6/4/06, Larry Chuon <lchuon@gmail.com> wrote:
>
> I'm so bad at subnetting. Now, I sort of find a way that works for
me.
> Let's say you have the following networks in your routing table:
> 198.168.0.0
> 198.168.1.0
> 198.168.2.0
> 198.168.3.0
> 198.168.8.0
> 198.168.9.0
> 198.168.10.0
> 198.168.11.0
>
> 1) use only two ACLs
> a) Look at the pattern 0-3 & 8-11 are complete binary sets which are
> two bits
> b) If you are uncomfortable with that, quickly write them out as
> such 00000000
> 00000001
> 00000010
> 00000011
> --------------
> 00001000
> 00001001
> 00001010
> 00001011
>
> Now look from right to left and find the most bits in common. The
> above examples, I see the first two bits which add up to 3. Therefore
> the wildcard mask would be 0.0.3.255.
> c) if you AND the above binaries, you'll get 00000011. That is also
3.
>
> Now, take the base (0 and 8) and write them out such as 198.168.0.0
> 0.0.3.255 and 198.168.8.0 0.0.3.255. To practice, I would obtain an
> IP calculator and test our a whole bunch to ensure that my math is
correct.
>
> 2) If you only want selective networks, the best way is to use AND and
> XOR.
> For example:
>
> I want only:
> 198.168.1.0
> 198.168.5.0
>
> convert the third octet to binary
> 00000001
> 00000101
> -------------
> 00000100 AND
> 00000000 invert the mask /24
> -------------
> 00000100 XOR which gives you 4 as wildcard mask
>
> Your ACL would look like this: 198.168.1.0 0.0.4.255
>
> 3) Let's say your mask is /24 and you want 3 and 7 network
> 00000011 base
> 00000111
> -------------
> 00000100 AND
> 00000000 invert the mask /24
> -------------
> 00000100 XOR which gives you 198.168.3.0 0.0.4.255
>
> Like I said, I used to have problem with this. If anybody found any
> flaw, please let me know.
>
> Larry
>
> On 6/4/06, Elias Chari <elias.chari@gmail.com> wrote:
> >
> > Hi,
> >
> > may be the question objective should be clearer. It was in the
> > context
> of
> > filtering routing updates.
> >
> > (1) use one line acl to allow the networks (therefore does not
> > require .255 in the last octet as you are filtering
> on
> > routing updates and not host traffic)
> >
> > (2) Do not care about overlapping networks....
> >
> >
> > On 6/4/06, PhiL <theccie@gmail.com> wrote:
> > >
> > > Actually,
> > >
> > > In your Example 1 you are allowing third octets from 0 to 7 and
> > > this
> is
> > > more than the 2 subnets (54.1.1.0 and 150.1.6.0) you want to
filter.
> In
> > > this case you would not use 1 line for both but you would need one
> entry
> > for
> > > each of the networks. Also, your last octet wildcard should be 255
> > instead
> > > of 0 to allow/deny all the hosts (assuming the 2 original subnets
> > > are
> > /24).
> > >
> > >
> > > On 6/4/06, Elias Chari <elias.chari@gmail.com > wrote:
> > > >
> > > > Faryar,
> > > >
> > > > It is not meant to solve all your acl scenarios, but if you get
> > > > 3 or
> 4
> > > > networks then it can get messy using binary. My brain works
> > > > better
> in
> > > > decimal...-)
> > > >
> > > > In any case I worked it out using only decimal numbers, as per
> > > > my previous post.
> > > >
> > > > Regards,
> > > > Elias
> > > >
> > > >
> > > > On 6/4/06, Faryar Zabihi (fzabihi) < fzabihi@cisco.com> wrote:
> > > > >
> > > > > Way too complicated. Just think about the networks you need
> > > > > to
> > > > include.
> > > > > See what octets you need to work on. Then just wildcard is the
> > > > > difference in that octet(from first network to last). Make
> > > > > sure
> you
> > > > can
> > > > > actually use one statement to do this. Sometime you would
> > > > > need to blocks. Take the mcast range for example. How can
> > > > > you include
> all
> > in
> > > > > one ACL?
> > > > > I have never run across too complicated of a scenario for this
> > > > > not
> > to
> > > > > work, but you can definitely get an ugly one. Just make sure
> > > > > you
> > > > think
> > > > > about it. Bit manipulation can be a biotch and time consuming
> > > > > as
> > you
> > > > > pointed out.
> > > > > This probably doesn't make sense..but it has worked for me
> > > > > everytime...well I did fail the lab but I don't think it was
> > > > > ACLS
> > > > >
> > > > > Faryar
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On
> > Behalf
> > > > Of
> > > > > elias.chari@gmail.com
> > > > > Sent: Sunday, June 04, 2006 12:29 PM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: Most efficient ACL to match multiple networks -
> > > > > easier
> way?
> > > > >
> > > > > Hi Group,
> > > > >
> > > > > I guess you have all come across a requirement to match
> > > > > multiple networks with a one line ACL.
> > > > >
> > > > > I understand the theory i.e AND operation to get the network
> > > > > part
> > and
> > > > > X-OR for the wildcard. Now writting out all the networks in
> > > > > binary
> > and
> > > > > doing the operations is time consuming and quite easy to make
> > > > > a
> > > > mistake
> > > > > when under pressure.
> > > > >
> > > > > I have tried to work it out using the AND and X-OR functions
> > > > > on
> the
> > MS
> > > >
> > > > > calculator and whilst it woks ok for the AND operation for
> multiple
> > > > > networks, it fails on the X-OR function as it does a
> > > > > comparison of
> > two
> > > >
> > > > > networks at at time.
> > > > >
> > > > > Has anybody worked out how to get the calculator to compare
> multiple
> > > > > numbers using the X-OR function?
> > > > >
> > > > > BTW it works for AND when using the networks in decimal
> format...-)
> > > > >
> > > > > If we crack this, it could potentially save us quite a bit of
> time.
> > > > >
> > > > > Regards,
> > > > > Elias
> > > > > PS - The equation for an X-OR gate (for those not familiar
> > > > > with it
> > and
> > > > > may be interested) is:
> > > > > __
> > > > > Y = (A+B)(AB)
> > > > >
> > > > >
> > > >
> > ____________________________________________________________________
> > ___
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > ____________________________________________________________________
> > ___
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > >
> > > PhiL
> >
> > ____________________________________________________________________
> > ___ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Regards,PhiL
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:32 ART