ACL and Wildcard from David W. Anderson Jr. on 2011-06-04 (Ccielab archives 06/2011)

From: David W. Anderson Jr. <ccie.miami_at_gmail.com>
Date: Sat, 4 Jun 2011 12:26:39 -0400

Greetings Experts,

I have an issue with ACLs and Wildcard matching. I have read Brian's INE
explanation of how to calculate them (
http://www.ine.com/resources/01700370.htm) and have used it often with no
issue. However, I was working on a problem yesterday and was not getting a
complete match as I expected. See below:

Advertised networks
170.18.105.0
192.80.4.0
192.88.4.0
192.80.1.0
192.88.1.0
192.80.2.0
192.88.2.0
192.80.3.0
192.88.3.0

Nets to match:
Net 1 - 192.80.2.0
Net 2 - 192.80.3.0
Net 3 - 192.88.2.0
Net 4 - 192.88.3.0
Net 5 - 170.18.105.0

Net 1 - 1 1 0 0 0 0 0 0 . 0 1 0 1 0 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 0 0
0 0 0 0
Net 2 - 1 1 0 0 0 0 0 0 . 0 1 0 1 0 0 0 0 . 0 0 0 0 0 0 1 1 . 0 0 0 0
0 0 0 0
Net 3 - 1 1 0 0 0 0 0 0 . 0 1 0 1 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 0 0
0 0 0 0
Net 4 - 1 1 0 0 0 0 0 0 . 0 1 0 1 1 0 0 0 . 0 0 0 0 0 0 1 1 . 0 0 0 0
0 0 0 0
Net 5 - 1 0 1 0 1 0 1 0 . 0 0 0 1 0 0 1 0 . 0 1 1 0 1 0 0 1 . 0 0 0 0
0 0 0 0
AND 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 128.16.0.0

Net 1 - 1 1 0 0 0 0 0 0 . 0 1 0 1 0 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 0 0
0 0 0 0
Net 2 - 1 1 0 0 0 0 0 0 . 0 1 0 1 0 0 0 0 . 0 0 0 0 0 0 1 1 . 0 0 0 0
0 0 0 0
Net 3 - 1 1 0 0 0 0 0 0 . 0 1 0 1 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 0 0
0 0 0 0
Net 4 - 1 1 0 0 0 0 0 0 . 0 1 0 1 1 0 0 0 . 0 0 0 0 0 0 1 1 . 0 0 0 0
0 0 0 0
Net 5 - 1 0 1 0 1 0 1 0 . 0 0 0 1 0 0 1 0 . 0 1 1 0 1 0 0 1 . 0 0 0 0
0 0 0 0
XOR 0 1 1 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 1 0 1 0 1 1 0 0 0 0 0
0 0 0 106.74.107.255

So the ACL I apply is access-list 10 permit 128.16.0.0 106.74.107.255

The problem I am having is that the 192.80.1.0 and 192.88.1.0 networks are
slipping through. Am I miscalculating something or are you not able to match
different classes of addresses using this method? I'm pretty sure I've
matched Class B and C before. BTW, the answer key is using two separate
lines to get the desired results. I thought I would be able to use just one.
I hope I've explained this clearly. Any guidance would be appreciated.
Thanks.

-- 
David
ccie.miami_at_gmail.com
Lab Date 7/7/11 (Hopefully that date is a lucky one!)
Blogs and organic groups at http://www.ccie.net

Received on Sat Jun 04 2011 - 12:26:39 ART

This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 06:24:27 ART