RE: Not so dumb ACL question

From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Wed Jul 20 2005 - 09:59:00 GMT-3

• Next message: Guyler, Rik: "RE: Written Exam 350-001"
• Previous message: Schulz, Dave: "RE: Preventing routing loops in this BGP situation"
• Maybe in reply to: Gustavo Novais: "Not so dumb ACL question"
• Next in thread: Scott Morris: "RE: Not so dumb ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thank you!

I sent this email yesterday at 1 AM and I wasn't thinking straight (work
plus study plus etc...) ... This morning the aswer seemed obvious... The
first statement is related to (as I said) 3 and 11 third bytes, and the
second is simply a match for third byte 14 (00001110 which Xored with
itself is (yes, you guessed it) 0000000.

Reviewing what I wrote, the question remain on how much is too much...
One single is good even if it is not as specific? (I'm matching 8
possibilities (3bits on the mask), although there are only six
possibilities asked) or should I try to be as specific as possible even
if it means more statements...?

The requirement was to deny access to these networks... It didn't state
anything (if I remember well) about allowing access to the other
networks. Specifically the networks that are overlapped with the one
ACL.

So I don't know... What is the correct approach? (In Ip Expert they say
(and very well in my opinion) that there are several ways of doing
something... The issue is what is the way the guy who is correcting the
lab likes best?

Thanks

Gustavo

-----Original Message-----
From: John Matus [mailto:jmatus@pacbell.net]
Sent: quarta-feira, 20 de Julho de 2005 7:38
To: Gustavo Novais; lab
Subject: Re: Not so dumb ACL question

gustavo,
i could explain it the way i do it, but it is probably wrong in theory,
but in practice it has worked for me you want as few acl's as
possible....<did they say few, or 2?>
>168.192.3.0/24
> 168.192.11.0/24
> 168.192.14.0/24
> 168.208.3.0/24
> 168.208.11.0/24
> 168.208.14.0/24

what you want to do is look for patterns in the ip addresses, or
similarities
ok, look at the 2nd octed in the the first ip address....192.3 you
also
have a .208.3. 208-192=16. so your mask would be 16 for the second
octet....... looking at the 3rd octet, you can filter all address
between
.3 and .11 by using the mask .7 since 11-3.=8
so the first acl would be 168.192.3.0 0.16.3.255. now you just have
192.14
and 208.14 left. 208-192=16, and 14-14=0
so the second acl would be 168.192.14.0 0.16.0.255. it's just
simple adding and subtracking of the ip addresses. i'm guessing you
could have a different answer if you decided to filter the .192.3 with
the 208.3, and then the range of address between 192.11-14, and
208.11-14........so this would be 168.192.3.0 0.16.0.255 168.192.11.0
0.16.3.255

at least this is the way i do it. the super ccie's of the group would
probably scoff at this approach for obvious reasons, but hey, if it
work.....

Regards,

John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "Gustavo Novais" <gustavo.novais@novabase.pt>
To: "lab" <ccielab@groupstudy.com>
Sent: Tuesday, July 19, 2005 5:23 PM
Subject: Not so dumb ACL question

> Hello
>
> One of those wonderful ACL questions. It came on IPexpert Lab23. I
> didn't understand how did they reach their results...
>
> Purpose: few lines as possible deny hosts on networks :
> 168.192.3.0/24
> 168.192.11.0/24
> 168.192.14.0/24
> 168.208.3.0/24
> 168.208.11.0/24
> 168.208.14.0/24
>
> Being that 192 is (b) 11000000 , 208 is (192+16) (b)11010000, 14 is
> (8+4+2) (b)00001110, 11 (8+2+1) (b) 00001011 and 3 (b) 00000011
>
> I did the following according to IE doc on ACL
>
> Second Byte
> 192 208
> NET = AND (11000000, 11010000) = 11000000 -> (d)192
> MASK = XOR (11000000, 11010000) = 00010000 ->(d)16
>
> No problem here.
>
> Third Byte
> I thought that we could try and mix all three networks so
> 14 11 3
> NET=AND ( 00001110, 00001011, 00000011) = 00000010 = (d) 2
> MASK =XOR (00001110, 00001011, 00000011) = 00001101 = (d) 13
>
> Leading to the result of ACL being 168.192.2.0 mask 0.16.13.255
>
> Their result was on two lines 168.192.3.0 MASK 0.16.8.255
> 168.192.14.0 MASK 0.16.0.255
>
> I tried mix and match to see how did they get there, but I only got
> confused... I understood that the first statement was derived by
mixing
> third bytes 3 and 11 but I didn't understand the second statement...
>
> Perhaps my brains just refuses to work, but please could any one
explain
> to me why isn't my solution correct, for a LAB? (to much overlapping?)
>
> TIA
>
> Gustavo
>
>

• Next message: Guyler, Rik: "RE: Written Exam 350-001"
• Previous message: Schulz, Dave: "RE: Preventing routing loops in this BGP situation"
• Maybe in reply to: Gustavo Novais: "Not so dumb ACL question"
• Next in thread: Scott Morris: "RE: Not so dumb ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3