Re: ACL and Wildcard

You right, the requeriment to match "only" means two ACLs. These kind of
appreciations will drive you to your number ;)
Look for this tricky questions...

2011/6/9 David W. Anderson Jr. <ccie.miami_at_gmail.com>

> Hi Rob,
>
> Forgot to copy the group :-)
>
> The requirement is to match "only" those networks with the minimum number
> of statements. I initially understood it to mean "1" acl. But taking it
> literally and verifying it against the answer key, "2" acl statements would
> be allowed. Thanks for the reply.
>
> On Tue, Jun 7, 2011 at 7:06 PM, Rob Clav <robclav_at_gmail.com> wrote:
>
>> Hi David,
>> if you required to use one without more conditions, then you can
>> use 128.0.0.0 0.255.255.255 even.
>> As the second reflection, why you say you are not maching both classes?
>> you do.
>> Robclav
>>
>>
>>
>> 2011/6/4 David W. Anderson Jr. <ccie.miami_at_gmail.com>
>>
>>> Greetings Experts,
>>>
>>> I have an issue with ACLs and Wildcard matching. I have read Brian's INE
>>> explanation of how to calculate them (
>>> http://www.ine.com/resources/01700370.htm) and have used it often with
>>> no
>>> issue. However, I was working on a problem yesterday and was not getting
>>> a
>>> complete match as I expected. See below:
>>>
>>>
>>> Advertised networks
>>> 170.18.105.0
>>> 192.80.4.0
>>> 192.88.4.0
>>> 192.80.1.0
>>> 192.88.1.0
>>> 192.80.2.0
>>> 192.88.2.0
>>> 192.80.3.0
>>> 192.88.3.0
>>>
>>> Nets to match:
>>> Net 1 - 192.80.2.0
>>> Net 2 - 192.80.3.0
>>> Net 3 - 192.88.2.0
>>> Net 4 - 192.88.3.0
>>> Net 5 - 170.18.105.0
>>>
>>>
>>>
>>> Net 1 - 1 1 0 0 0 0 0 0 . 0 1 0 1 0 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 0
>>> 0
>>> 0 0 0 0
>>> Net 2 - 1 1 0 0 0 0 0 0 . 0 1 0 1 0 0 0 0 . 0 0 0 0 0 0 1 1 . 0 0 0
>>> 0
>>> 0 0 0 0
>>> Net 3 - 1 1 0 0 0 0 0 0 . 0 1 0 1 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 0
>>> 0
>>> 0 0 0 0
>>> Net 4 - 1 1 0 0 0 0 0 0 . 0 1 0 1 1 0 0 0 . 0 0 0 0 0 0 1 1 . 0 0 0
>>> 0
>>> 0 0 0 0
>>> Net 5 - 1 0 1 0 1 0 1 0 . 0 0 0 1 0 0 1 0 . 0 1 1 0 1 0 0 1 . 0 0 0
>>> 0
>>> 0 0 0 0
>>> AND 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
>>> 0 0
>>> 0 0 0 128.16.0.0
>>>
>>>
>>> Net 1 - 1 1 0 0 0 0 0 0 . 0 1 0 1 0 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 0
>>> 0
>>> 0 0 0 0
>>> Net 2 - 1 1 0 0 0 0 0 0 . 0 1 0 1 0 0 0 0 . 0 0 0 0 0 0 1 1 . 0 0 0
>>> 0
>>> 0 0 0 0
>>> Net 3 - 1 1 0 0 0 0 0 0 . 0 1 0 1 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 0
>>> 0
>>> 0 0 0 0
>>> Net 4 - 1 1 0 0 0 0 0 0 . 0 1 0 1 1 0 0 0 . 0 0 0 0 0 0 1 1 . 0 0 0
>>> 0
>>> 0 0 0 0
>>> Net 5 - 1 0 1 0 1 0 1 0 . 0 0 0 1 0 0 1 0 . 0 1 1 0 1 0 0 1 . 0 0 0
>>> 0
>>> 0 0 0 0
>>> XOR 0 1 1 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 1 0 1 0 1 1 0 0 0
>>> 0 0
>>> 0 0 0 106.74.107.255
>>>
>>> So the ACL I apply is access-list 10 permit 128.16.0.0 106.74.107.255
>>>
>>> The problem I am having is that the 192.80.1.0 and 192.88.1.0 networks
>>> are
>>> slipping through. Am I miscalculating something or are you not able to
>>> match
>>> different classes of addresses using this method? I'm pretty sure I've
>>> matched Class B and C before. BTW, the answer key is using two separate
>>> lines to get the desired results. I thought I would be able to use just
>>> one.
>>> I hope I've explained this clearly. Any guidance would be appreciated.
>>> Thanks.
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> David
>>> ccie.miami_at_gmail.com
>>> Lab Date 7/7/11 (Hopefully that date is a lucky one!)
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Robert Clavero
>> CCIE RS/wr, CCNP, CCSP, CCSE NGX, SCSA 9, WLFES, BNP y JNCIA WX
>> blog:http://robclavbcn.blogspot.com
>>
>> web:http://www.kubsolutions.com
>>
>>
>
>
> --
>
> David
> ccie.miami_at_gmail.com
> Lab Date 7/7/11 (Hopefully that date is a lucky one!)
>
>

-- 
Robert Clavero
CCIE RS/wr, CCNP, CCSP, CCSE NGX, SCSA 9, WLFES, BNP y JNCIA WX
blog:http://robclavbcn.blogspot.com
 web:http://www.kubsolutions.com
Blogs and organic groups at http://www.ccie.net