RE: help with complex wildcard masks

From: Eric Dobyns (eric_dobyns@yahoo.com)
Date: Thu Oct 11 2007 - 20:26:36 ART

Question doesn't allow deny statements. Only permits.

-----Original Message-----
From: Kenta Watai [mailto:kkwatai@gmail.com]
Sent: Thursday, October 11, 2007 6:21 PM
To: Eric Dobyns
Cc: 'Clay K Auch (clauch)'; 'Joseph Brunner'; 'Cisco certification'
Subject: Re: help with complex wildcard masks

Catch the exceptions first and then whack it.

deny 10.0.0.0 0.0.0.255
permit 10.248.0.0 0.0.0.255
deny 10.248.0.0 0.7.255.255
permit 10.0.0.0 0.255.255.255

Please comment.

Thank you
Kenta

Eric Dobyns wrote:
> Taking a stab at it... someone sing out if they have a better idea...
>
> You first want to permit 10.1.0.0/16 - 10.20.0.0/16
>
> Permit ip 10.1.0.0 0.0.255.255 (permits 10.1.0.0/16)
> Permit ip 10.2.0.0 0.1.255.255 (permits 10.2.0.0/16 - 10.3.0.0/16)
> Permit ip 10.4.0.0 0.3.255.255 (permits 10.4.0.0/16 - 10.7.0.0/16)
> Permit ip 10.8.0.0 0.7.255.255 (permits 10.8.0.0/16 - 10.15.0.0/16)
> Permit ip 10.16.0.0 0.3.255.255 (permits 10.16.0.0/16 - 10.19.0.0/16)
> Permit ip 10.20.0.0 0.0.255.255 (permits 10.20.0.0/16)
>
> The first part would have been easier if they had allowed 10.0.0.0/16 to
be
> permited, but since they said start with 10.1.0.0/24, it got more tricky.
>
> Part 2 is the 10.21.0.0/16 subnet, minus 10.21.1.0/24.
>
> Permit ip 10.21.0.0 0.0.0.255 (permits 10.21.0.0/24)
> Permit ip 10.21.2.0 0.0.1.255 (permits 10.21.2-3.0/24)
> Permit ip 10.21.4.0 0.0.3.255 (permits 10.21.4-7.0/24)
> Permit ip 10.21.8.0 0.0.7.255 (permits 10.21.8-15.0/24)
> Permit ip 10.21.16.0 0.0.15.255 (permits 10.21.16-31.0/24)
> Permit ip 10.21.32.0 0.0.31.255 (permits 10.21.32-63.0/24)
> Permit ip 10.21.64.0 0.0.63.255 (permits 10.21.64-127.0/24)
> Permit ip 10.21.128.0 0.0.127.255 (permits 10.21.128-255.0/24)
>
> Part 3 is the 10.22.0.0/16 - 10.127.0.0/16
>
> Permit ip 10.22.0.0 0.0.1.255 (permits 10.22.0.0/16 and 10.23.0.0/16)
> Permit ip 10.24.0.0 0.0.7.255 (permits 10.24.0.0/16 through
10.31.0.0/16)
> Permit ip 10.32.0.0 0.0.31.255 (permits 10.32.0.0/16 through
10.63.0.0/16)
> Permit ip 10.64.0.0 0.0.63.255 (permits 10.64.0.0/16 through
10.127.0.0/16)
>
> Part 4 is the first subnets of 10.128.0.0/16
> Permit ip 10.128.0.0 0.0.15.255 (permits 10.128.0.0/24 through
> 10.128.15.0/24)
> Permit ip 10.128.16.0 0.0.0.255 (permits 10.128.16.0/24)
>
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Clay
> K Auch (clauch)
> Sent: Thursday, October 11, 2007 3:18 PM
> To: Joseph Brunner; Cisco certification
> Subject: RE: help with complex wildcard masks
>
> Hey man,
>
> Did you ever figure out that wildcard problem from about a week or so
back?
>
> Clay
>
> -----Original Message-----
> From: Joseph Brunner [mailto:joe@affirmedsystems.com]
> Sent: Monday, October 01, 2007 10:50 PM
> To: Clay K Auch (clauch); 'Cisco certification'
> Subject: RE: help with complex wildcard masks
>
> I agree, I was referring to that link when I said I knew how to do those
> tasks in that link.
>
> This link has not yet yield a strategy to tackle questions like this
one...
>
> "Permit 10.1.0.0/24 through 10.128.16.0/24. Do not permit 10.21.1.0/24. Do
> not use any deny statements. Use as few lines a possible, yada yada yada."
>
> See?
>
> Help :(
>
> -----Original Message-----
> From: Clay K Auch (clauch) [mailto:clauch@cisco.com]
> Sent: Monday, October 01, 2007 10:49 PM
> To: Joseph Brunner; Cisco certification
> Subject: RE: help with complex wildcard masks
>
>
> Hello Joseph,
>
> I highly recommend this link below. They have laid out the information in
> such a way that allows you to understand it by the end of the read.
>
> http://www.internetworkexpert.com/resources/01700370.htm
>
> Enjoy!
>
> Clay
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Joseph Brunner
> Sent: Monday, October 01, 2007 9:08 PM
> To: 'Cisco certification'
> Subject: help with complex wildcard masks
>
> Good evening (or morning/afternoon if you are east of ZULU time),
>
>
>
> I was wondering if someone can point me to a good source of information
for
> calculating complex wild card masks. I'm very fast/accurate and
> anding/xoring a few
>
> Ip addresses and coming up with an ip address and a discontinuous-ones
wild
> card mask to permit several addresses on one acl line thanks to the
Brians's
> nice paper we all see here often. I'm more interested in things like this.
>
>
>
> Match 10.0.1.0/24 through 10.248.0.0/24 in as few acl lines as possible.
>
>
>
> What is the trick to calculation of the wild card masks? I often see weird
> answers here and there that wont match a few subnets from that group (say
> 3), then they bundle them in to make 4 or 5 lines to solve the above
> question.
>
>
>
> I would really appreciate some direction here.
>
>
>
> Thanks,
>
>
>
> Joseph Brunner
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:14 ART