From: Ali Sheeraz Mehdi (ali.mehdi@atosorigin-me.com)
Date: Mon Dec 04 2006 - 15:29:16 ART
Since XOR of 0.6.0.8 results in 3 high bit positions, so number of
overlapping addresses are 2^3=8. By binary transform it can be easily seen
that two addresses which are also denied by the statement (51.1.0.1/0.6.0.8)
are 51.1.0.1 and 51.1.0.9
I guess there can be two options (both have 3 statements) - [Please correct
if I am wrong]
1.access-list 1 deny 51.3.0.1 0.4.0.8
access-list 1 deny 51.5.0.1 0.0.0.8
access-list 1 permit any
2.access-list 1 permit 51.1.0.1 0.0.0.8
access-list 1 deny 51.1.0.1 0.6.0.8
access-list 1 permit any
Regards
Ali
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
VirtRack.com Mailing Lists
Sent: Monday, December 04, 2006 9:09 PM
To: ccielab@groupstudy.com
Subject: RE: ACCESS-LIST
As a quick check I think of it like this:
you will always match 2 possibilities with every single wildcard bit, so the
total number of networks matched is (2 ^ x) with x being the number of 1's
in the wildcard mask.
So a wildcard mask with only a single 1 in it will match only 2
possibilities.
With the case in question here, the proposed wildcard mask is: 0.6.0.8
In binary this is 00000000 00000110 00000000 00001000 showing 3 ones in
use. 2 ^ 3 = 8 so 8 networks will be matched, but the list shows only 6, so
it is not the right solution.
There is no 2 ^ x that results in a 6, so the only choice is to use at least
two of them (2^2) + (2^1) = 6 networks. Note that it does not guarantee
that the bits will fall on the right boundaries to use only two
statementments, this just proves that we need at least two of them. There
is a possibility that a wildcard mask with 2 bits set to 1, combined second
statement with a single bit set to 1 can match a given 6 addresses. In this
particualar case, the networks fall into the right spots to be matched with
2 statements:
access-list 1 deny 51.3.0.1 0.4.0.8
access-list 1 deny 51.5.0.1 0.0.0.8
access-list 1 permit any (will allow rest of traffic to pass)
On 12/4/06, Nick Griffin <nick.jon.griffin@gmail.com> wrote:
>
> Working through these in the lab is obviously the best, doing the binary
> math. If you get stuck, check here:
>
> http://www.boson.com/FreeUtilities.html the subnet calc is nice with the
> wildcard mask checker.
>
>
>
> On 12/4/06, VirtRack.com Mailing Lists < ciscolists@gmail.com> wrote:
>
> > Yes it will work, but it will deny 2 more addresses than just what was
> > listed, as I detailed before. If the requirements are for ONLY the
> > listed
> > networks and nothing more, you will need to use more than one line to
> > match
> > them:
> >
> > access-list 1 deny 51.3.0.1 0.4.0.8 (will catch the 51.3 and
51.7networks)
> > access-list 1 deny 51.5.0.1 0.0.0.8 (will catch both of the
51.5networks)
> > access-list 1 permit any (will allow rest of traffic to pass)
> >
> >
> > On 12/4/06, Matemane, Walter < walter.matemane@liberty.co.za > wrote:
> > >
> > > AND = 51.1.0.1
> > > XOR = 0.6.0.8
> > > I think access-list 1 deny 51.1.0.1 0.6.0.8 will work.
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On Behalf
> > Of
> > > Scott Morris
> > > Sent: 04 December 2006 03:35 PM
> > > To: 'haducbinh'; deji500@hotmail.com; ccielab@groupstudy.com
> > > Subject: RE: ACCESS-LIST
> > >
> > > That would deny .0 and .1 in the first octet and would be rewritten as
> > > 51.0.0.1 0.1.0.8....
> > >
> > > HTH,
> > >
> > >
> > > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> > > JNCIE
> > > #153, CISSP, et al.
> > > CCSI/JNCI-M/JNCI-J
> > > IPExpert VP - Curriculum Development
> > > IPExpert Sr. Technical Instructor
> > > smorris@ipexpert.com
> > > http://www.ipexpert.com
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On Behalf
> > Of
> > > haducbinh
> > > Sent: Monday, December 04, 2006 6:16 AM
> > > To: deji500@hotmail.com; ccielab@groupstudy.com
> > > Subject: RE: ACCESS-LIST
> > >
> > > You should use this ACL:
> > > access-list 1 deny 51.1.0.1 0.1.0.8
> > >
> > > HaDucBinh
> > > Mail: haducbinh@vnpro.org
> > > Phone: +84 908 191 322
> > >
> > ------------------------------------------------------------------------
> > > ---
> > > Vietnamese Professionals (VnPro)
> > > Cisco Authorised Training
> > > 149/1D Ung Van Khiem Street, Ward 25, Binh Thanh District, Ho Chi Minh
> > > City
> > > Tel: (08) 5124257 - (08) 5125314
> > > Fax: (08) 5124314
> > > Website: http://vnpro.vn
> > > Support Forum: http://vnpro.org
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On Behalf
> > Of
> > > deji500@hotmail.com
> > > Sent: Sunday, December 03, 2006 6:09 PM
> > > To: ccielab@groupstudy.com
> > > Subject: ACCESS-LIST
> > >
> > > Hello group
> > >
> > > To match and deny the following IP address:
> > > 51.3.0.1
> > > 51.5.0.1
> > > 51.7.0.1
> > > 51.3.0.9
> > > 51.5.0.9
> > > 51.7.0.9
> > >
> > > will this accesslist work?
> > > access-list 1 deny 51.1.0.1 0.6.0.8
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > > This message (and any associated files) is intended only for the
> > > use of the individual or entity to which it is addressed and may
> > > contain information that is confidential, subject to copyright or
> > > constitutes a trade secret. If you are not the intended recipient
> > > you are hereby notified that any dissemination, copying or
> > > distribution of this message, or files associated with this message,
> > > is strictly prohibited. If you have received this message in error,
> > > please notify us immediately by replying to the message and deleting
> > > it from your computer. Messages sent to and from us may be monitored.
> > >
> > > Internet communications cannot be guaranteed to be secure or
> > error-free
> > > as information could be intercepted, corrupted, lost, destroyed,
> > arrive
> > > late or incomplete, or contain viruses. Therefore, we do not accept
> > > responsibility for any errors or omissions that are present in this
> > > message, or any attachment, that have arisen as a result of e-mail
> > > transmission. If verification is required, please request a hard-copy
> > > version. Any views or opinions presented are solely those of the
> > author
> > > and do not necessarily represent those of the company.
> > >
> > >
> > >
> >
****************************************************************************
********
> >
> > > The e-mail and attachments are confidential and intended only for
> > selected
> > > recipients. If you have received it in error, you may not in any way
> > > disclose or rely on the contents. You may not keep, copy or distribute
> > the
> > > e-mail. Should you receive it, immediately notify the sender of the
> > error
> > > and delete the e-mail.Also note that this form of communication is not
> > > secure, it can be intercepted, and may not necessarily be free of
> > errors and
> > > viruses in spite of reasonable efforts to secure this medium.
> > >
> > >
> >
****************************************************************************
********
> > >
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >
> >
> > --
> > Online rack rental and CCIE Forums at http://www.virtrack.com
> >
> >
> > --
> > Online rack rental and CCIE Forums at http://www.virtrack.com
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
--Online rack rental and CCIE Forums at http://www.virtrack.com
--
Online rack rental and CCIE Forums at http://www.virtrack.com
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:36 ART