Comments on: Binary Math – Part I

By: R&S Short Notes – Security & IP Services « #sh ip route vrf CCIE 24163

Wed, 27 May 2009 07:34:19 +0000

[...] your binary voodoo as Scott Morris @ INE calls it, Part I & Part [...]

By: Madura

Madura — Wed, 15 Apr 2009 10:55:52 +0000

Hi Scott, So what is the final answer for the second question? I see there two sets of answers from the above posts, but my answer is :

ip access-list 13 deny 200.100.1.0 0.0.254.0
ip access-list 13 permit 200.100.128.0 0.0.7.0
ip access-list 13 permit 200.100.136.0 0.0.3.0

Is this correct?

I don’t understand how this will work though:
access-list 20 permit 200.100.128.0 0.0.6.0
access-list 20 permit 200.100.136.0 0.0.2.0

By: csc

csc — Mon, 23 Feb 2009 09:10:49 +0000

Hurrey !!!

I got it….

I configured eigrp and everything worked fine..

Scott…I really really thankful to you …

Also surely i’ll try packet filtering..

Again hats off to you..

By: Scott Morris, CCIE #4713

Scott Morris, CCIE #4713 — Sun, 22 Feb 2009 20:21:06 +0000

You are a touch late, but we’ll work with it.

Your first big thing… You’re running OSPF. You cannot do a distribute-list out in OSPF, because the rules of the protocol are that everyone in an area must have the same database!

If you are an ABR you can use an area filter-list to accomplish the same thing, but I think that command requires a prefix-list and not an ACL. Ah well.

Otherwise, you’re getting the idea of the binary. Just the application is a little difficult! Try them as packet filters (e.g. interface-based) and see if that makes things better for you!

HTH,

Scott

By: csc

csc — Sun, 22 Feb 2009 20:06:14 +0000

Hi Scott,

This might be very late…

I was looking out for the nice explanation on access list and I got this fantastic link…

Your explanation is very great but it made me confused… Because I am still far behind in configuring access list.

I tried configuring as per your suggestion.. but did not get single output…I still din’t understand how did you apply access list.. what are the commands..

My network is very simple

R1 ( s1/0 – 12.1.1.1 ) is connected to R2 ( s1/0 – 12.1.1.2 )

and I created some loopbacks on R1 as follows

int lo 1
ip add 172.16.31.1 255.255.255.0
int lo 2
ip add 172.16.32.1 255.255.255.0
int lo 3
ip add 172.16.33.1 255.255.255.0
int lo 4
ip add 172.16.34.1 255.255.255.0
int lo 5
ip add 172.16.35.1 255.255.255.0
int lo 6
ip add 172.16.36.1 255.255.255.0
int lo 7
ip add 172.16.37.1 255.255.255.0
int lo 8
ip add 172.16.38.1 255.255.255.0
int lo 9
ip add 172.16.39.1 255.255.255.0
int lo 10
ip add 172.16.40.1 255.255.255.0
int lo 11
ip add 172.16.41.1 255.255.255.0
int lo 12
ip add 172.16.42.1 255.255.255.0
int lo 13
ip add 172.16.43.1 255.255.255.0

and configured ospf on both the routers..

later on I advertised all the loopbacks and serial interface under ospf…

I tried configuring in different way .. but sill no luck

e.g

If i want to permit only 32 to 35 networks.

I configured :

R1>access-list 11 permit 172.16.32.0 0.0.3.255

config-router>distribute-list 11 out

No Luck..

I tried also

access-list 11 deny 172.16.38.0 0.0.1.255

again no luck…

Then I removed all the loopbacks.. made it very simple.. configured only 2 loopbacks..

int lo 1
ip add 140.40.10.1 255.255.255.0

int lo 2
ip add 140.40.11.1 255.255.255.0

same I advertiesd in ospf..

Checked on R2.. got all the loopbacks..expected

then I tried allowing only 140.40.11.1

so configured :

access-list 1 permit 140.40.11.1

config-router>distribute-list 1 out

But again n again NO LUCK…

Everytime I got all the routes on R2.. I did clear ospf process..did clear ip route…

Please please advise me…

Hats off you…

Thanks..

By: Zsolt Maj

Zsolt Maj — Sun, 05 Oct 2008 21:46:19 +0000

Because packets of all hosts from this subnets are allowed the fourth octet of inverse mask is 255.
The inverse mask of third octet is the key question. Let’s see the binary form of every fourth subnet.

DCbits 11111100 ==>> 252 0 00000000 4 00000100 8 00001000 32 00100000 36 00100100 64 01000000 96 01100000 100 01100100

Because only the last two bit is the same in every binary form, the inverse mask of third octet is 252.

access-list 10 permit 131.102.0.0 0.0.252.255

The range of even subnets from 200.100.128.0/24 to 200.100.138.0/24 is union of two subnets. Let’s see the binary form of third octets

DCbits 11 128 10000000 130 10000010 132 10000100 134 10000110 ---------------- 136 10001000 138 10001010 DCbit 1

Based on the binary form two permit statements required

access-list 20 permit 200.100.128.0 0.0.6.0 access-list 20 permit 200.100.136.0 0.0.2.0

Because we must not use any DENY statements we must subnetting the given “C” class subnet, and we must use two individual address.

The subnets are following:

158.1.100.0/26 - 158.1.100.63/26 158.1.100.64/28 - 158.1.100.79/28 158.1.100.80/29 - 158.1.100.87/29 158.1.100.88/30 - 158.1.100.91/30 158.1.100.92/32 158.1.100.107/32 158.1.100.108/30 - 158.1.100.111/30 158.1.100.112/28 - 158.1.100.127/28 158.1.100.128/25 - 158.1.100.255/25

Access list:

access-list 30 permit 158.1.100.0 0.0.0.63 access-list 30 permit 158.1.100.64 0.0.0.15 access-list 30 permit 158.1.100.80 0.0.0.7 access-list 30 permit 158.1.100.88 0.0.0.3 access-list 30 permit 158.1.100.92 0.0.0.0 access-list 30 permit 158.1.100.107 0.0.0.0 access-list 30 permit 158.1.100.108 0.0.0.3 access-list 30 permit 158.1.100.112 0.0.0.15 access-list 30 permit 158.1.100.128 0.0.0.127

By: Rack009

Rack009 — Tue, 16 Sep 2008 20:58:22 +0000

START->RUN->CALC

By: rami

rami — Tue, 16 Sep 2008 16:36:25 +0000

1. Allow packets from all hosts in every fourth /24 network from 131.102.0.0/16

131.102.0.0 0.0.252.255

2. In as few lines as possible, permit only the following networks (assume it will be a distribute-list):

200.100.128.0/24 0.0.6.0
200.100.136.0/24 0.0.2.0

3. In as few lines as possible, allow access from all hosts in the 158.1.100.0/24 network except .93 through .106. You are not allowed to use any “deny” statements.

150.1.100.0 0.0.0.63
150.1.100.64 0.0.0.15
150.1.100.80 0.0.0.7
150.1.100.92 0.0.0.0
150.1.100.107 0.0.0.0
150.1.100.108 0.0.0.3
150.1.100.112 0.0.0.15
150.1.100.128 0.0.0.127

This was great practice!

By: Tibor Kasza

Tibor Kasza — Tue, 16 Sep 2008 15:55:45 +0000

last version

1.
access-list 14 permit 131.102.0.0 0.0.252.255

2.
access-list 15 deny 200.100.140.0 0.0.2.0
access-list 15 permit 200.100.128.0 0.0.14.0

3.
access-list 16 permit 158.1.100.0 0.0.0.63
access-list 16 permit 158.1.100.64 0.0.0.15
access-list 16 permit 158.1.100.80 0.0.0.7
access-list 16 permit 158.1.100.88 0.0.0.3
access-list 16 permit 158.1.100.92 0.0.0.0
access-list 16 permit 158.1.100.107 0.0.0.0
access-list 16 permit 158.1.100.108 0.0.0.3
access-list 16 permit 158.1.100.112 0.0.0.15
access-list 16 permit 158.1.100.128 0.0.0.127

By: Tibor Kasza

Tibor Kasza — Tue, 16 Sep 2008 15:53:07 +0000

corrected

1.
access-list 14 permit 131.102.0.0 0.0.252.255

2.
access-list 15 deny 200.100.140.0 0.0.0.0
access-list 15 deny 200.100.142.0 0.0.0.0
access-list 15 permit 200.100.128.0 0.0.14.0