Go CCIE Go!! - A Cisco Certified Internetwork Expert

No, that’s not how ACLs work. Write out the binary, and look at what matches. I’ll start line 10, and leave it to you to figure out the other ones that you “compacted”.
Your intention (in theory) is permitting 0.0.0.0 to 192.168.0.255, but that’s not what you’re matching.
Looking at the first octet alone 0 with a wildcard mask of 192 doesn’t match 0 to 192, it matches 0, and has two “don’t care bits” - 128 and 64. So, this would match 0, 64, 128, and 192 for the first octet, but none of the other values.
Looking at the second octet, 168 as a mask says you have 3 “don’t care” bits, 128, 32, and 8. With 3 ‘don’t care’ bits you are only matching 8 values for that octet, not the entire 0-168 range.
Marvin Greenlee, CCIE #12237 (R&S, SP, Sec) Senior Technical Instructor - IPexpert, Inc. A Cisco Learning Partner - We Accept Learning Credits! Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Mailto: mgreenlee@ipexpert.com IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab, CCIE Voice Lab and CCIE Storage Lab Certifications.
—–Original Message—– From: Shine Joseph [mailto:shinepjoseph@iprimus.com.au] Sent: Tuesday, March 25, 2008 2:00 AM To: mgreenlee@ipexpert.com; ‘Z Linux’; ccielab@groupstudy.com Subject: RE: ACL Question -
Marvin,
I am wondering, if I actually compact the ACL to as the following one, will it be the same?
10 permit ip 0.0.0.0 192.168.0.255 172.20.1.0 0.0.0.15 20 permit ip 192.168.2.0 0.0.1.255 172.20.1.0 0.0.0.15 30 permit ip 192.168.4.0 0.0.3.255 172.20.1.0 0.0.0.15 40 permit ip 192.168.8.0 0.0.7.255 172.20.1.0 0.0.0.15 50 permit ip 192.168.16.0 0.0.15.255 172.20.1.0 0.0.0.15 60 permit ip 192.168.32.0 0.0.31.255 172.20.1.0 0.0.0.15 70 permit ip 192.168.64.0 0.0.63.255 172.20.1.0 0.0.0.15 80 permit ip 192.168.128.0 0.0.127.255 172.20.1.0 0.0.0.15 90 permit ip 192.169.0.0 63.86.255.255 172.20.1.0 0.0.0.15
Regards, Shine
—–Original Message—– From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of mgreenlee@ipexpert.com Sent: Saturday, 22 March 2008 3:21 PM To: ‘Z Linux’; ccielab@groupstudy.com Subject: RE: ACL Question -
Here’s a thought, use binary and create an ACL, just like the person asked. Not everything is a one-line answer, or some sneaky “trick”. Sometimes you need to be able to show some intelligence and step through a problem. Class maps and VLAN maps can be nice and pretty, but if you’re explicitly told to create an ACL, perhaps you should demonstrate that you can create an ACL, and show them your mad binary skillz.
Z linux, here you go, line explanation follows:
1. permit 0.0.0.0 127.255.255.255 172.20.1.0 0.0.0.15 2. permit 128.0.0.0 63.255.255.255 172.20.1.0 0.0.0.15 3. permit 192.0.0.0 0.127.255.255 172.20.1.0 0.0.0.15 4. permit 192.128.0.0 0.31.255.255 172.20.1.0 0.0.0.15 5. permit 192.160.0.0 0.7.255.255 172.20.1.0 0.0.0.15 6. permit 192.168.0.0 0.0.0.255 172.20.1.0 0.0.0.15 7. permit 192.168.2.0 0.0.1.255 172.20.1.0 0.0.0.15 8. permit 192.168.4.0 0.0.3.255 172.20.1.0 0.0.0.15 9. permit 192.168.8.0 0.0.7.255 172.20.1.0 0.0.0.15 10. permit 192.168.16.0 0.0.15.255 172.20.1.0 0.0.0.15 11. permit 192.168.32.0 0.0.31.255 172.20.1.0 0.0.0.15 12. permit 192.168.64.0 0.0.63.255 172.20.1.0 0.0.0.15 13. permit 192.168.128.0 0.0.127.255 172.20.1.0 0.0.0.15 14. permit 192.169.0.0 0.0.255.255 172.20.1.0 0.0.0.15 15. permit 192.170.0.0 0.1.255.255 172.20.1.0 0.0.0.15 16. permit 192.172.0.0 0.3.255.255 172.20.1.0 0.0.0.15 17. permit 192.176.0.0 0.15.255.255 172.20.1.0 0.0.0.15 18. permit 192.192.0.0 0.63.255.255 172.20.1.0 0.0.0.15 19. permit 193.0.0.0 0.255.255.255 172.20.1.0 0.0.0.15 20. permit 194.0.0.0 1.255.255.255 172.20.1.0 0.0.0.15 21. permit 196.0.0.0 3.255.255.255 172.20.1.0 0.0.0.15 22. permit 200.0.0.0 7.255.255.255 172.20.1.0 0.0.0.15 23. permit 208.0.0.0 15.255.255.255 172.20.1.0 0.0.0.15 24. permit 224.0.0.0 31.255.255.255 172.20.1.0 0.0.0.15
1. permit 0 to 127, first octet 2. permit 128 to 191, first octet 3. permit 192 first octet, 0 to 127 second octet 4. permit 192.128 to 192.159 5. permit 192.160 to 192.167 6. permit 192.168.0.0 to 192.168.0.255 7 permit 192.168.2 to 192.168.3 8 permit 192.168.4 to 192.168.7 9 permit 192.168.8 to 192.168.15 10 permit 192.168.16 to 192.168.31 11 permit 192.168.32 to 192.168.63 12 permit 192.168.64 to 192.168.127 13 permit 192.168.128 to 192.168.255 14 permit 192.169.0 to 192.169.255 15 permit 192.170. to 192.171 16 permit 192.172 to 192.175 17 permit 192.176 to 192.191. 18 permit 192.192 to 192.255 19 permit 193.0 to 193.255 20 permit 194.0 to 195.255 21 permit 196 to 199 22 permit 200 to 207 23 permit 209 to 223 24 permit 224 to 255
Marvin Greenlee, CCIE #12237 (R&S, SP, Sec) Senior Technical Instructor - IPexpert, Inc. A Cisco Learning Partner - We Accept Learning Credits! Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Mailto: mgreenlee@ipexpert.com IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab, CCIE Voice Lab and CCIE Storage Lab Certifications.
—–Original Message—– From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Z Linux Sent: Friday, March 21, 2008 12:41 PM To: ccielab@groupstudy.com Subject: ACL Question -
Hi 2 All,
Plz help with solution :-
configure an acl with name “ABC” to obtain the following requirement. Deny all ip traffic from 192.168.1.0/24 to subnet 172.20.1.0/28Permit any other traffic to 172.20.1.0/28 Do not use any deny statements, Use only Permit statements………
_________________________________________________________________ Technology : Catch up on updates on the latest Gadgets, Reviews, Gaming and Tips to use technology etc. http://computing.in.msn.com/