I know, I know…  I promised this a while back, after I did the first part.  Sorry ’bout that!

So we’ve played around a bit with the access-list idea and some binary matching.  So let’s expand our brains even further!

I will start out by telling everyone that I am NOT picking on or otherwise attempting to insult any CCNA’s out there by comparing methodology to what is learned in CCNA.  The idea being that there are basic and advanced ways to learn things.

When we all first learned fractions, if anyone attempted to explain more advanced methods of long division, or finite state mathematics, or anything we now consider to be “basic algebra”, plain and simple….  our brains would have imploded!  It wouldn’t have been pretty at all.

There is a time and a place for everything.  When first beginning as a CCNA, the concept of “network” and “network mask” and wonderful subnets on standard bit-boundaries is good.  It’s a starting point.  Just realize that it isn’t the end point, and as CCIE Candidates, we need to see beyond those initial learning steps in order to succeed!  If you have stumbled across these blogs, and are still a CCNA, my sincere apologies as I did not mean to offend!  (And my apologies for any induced-brain-implosions!)

Now, all those legal disclaimers aside, it’s time to move up a notch in Binary Math.  We’re still counting to one, we’re just doing it with more finesse now!  So let’s start with our first problem for Part II.

Summarize these in as few lines as possible:

168.192.3.0/24
168.192.14.0/24
168.208.11.0/24
168.208.14.0/24
168.208.3.0/24
168.192.11.0/24

Our expansion and brain-freeze difficulty here is that we have differences in two different octets.  Well, I’ve got one for ya!  Who cares!?!?  The router doesn’t.

Let me go out on a limb here and say that ALL access lists in our routers are essentially operating in the exact same fashion.  Now, don’t go getting all sulky on me and tell me how they can’t all be the same because they’re different protocols.  I know that!

But LOGICALLY, it’s the same process.  A 200-series ACL is for ethertypes.  They are represented in hexadecimal (for our benefit since ethertype values are routinely expressed in hex).  But the router sees a starting string of 16 bits, and a mask of 16 bits to go with it.

The standard or exteneded IP ACLs are for IP addresses as we all know.  They are expressed in dotted decimal for OUR benefit.  The router sees a string of 32 bits and a mask of 32 bits.

An 800 series ACL is for IPX.  Again, expressed in hexadecimal for our benefit.  The router sees a starting string of 80 bits and a mask of 80 bits.

An IPv6 ACL is the same thing, only with 128 bits starting strings and masks!!!

You get the idea here.  Same #\$*&# different ACL!  So that idea of the difference being in different octets. The router doesn’t see it that way.  So get it out of your head!  Octet boundaries should make no difference to a CCIE Candidate!  That period is just a bump on the road of learning!

Anyway, enough sophomoric digression here…  Let’s look at the binary.

Second octet:

192    11000000
208    11010000

There’s only one bit of difference, so we can definitely summarize!  Even if we didn’t look any further, we can reduce these to three lines now.

access-list 21 permit 168.192.3.0 0.16.0.0
access-list 21 permit 168.192.11.0 0.16.0.0
access-list 21 permit 168.192.14.0 0.16.0.0

And that would work nicely.  So let’s look at the third octet:

3    00000011
11    00001011
14    00001110

Well, we end up with three bits of difference there (in the 1-bit, 4-bit and 8-bit positions).  2^3 will give us eight matches here.  That’s not cool.  Only three.  Look more closely at them individually.  14 is really the one that “doesn’t belong” or doesn’t fit well in the group.  So treat it separately!

Between 3 and 11, there’s only one bit of difference (2^1 = 2 matches).  So look at this in conjunction with what we did above.

access-list 21 permit 168.192.3.0 0.16.8.0
access-list 21 permit 168.192.14.0 0.16.0.0

The first line matches four of our original networks, and the second line matches two.  And the fact that the bits are in difference octets only bothers us, not the routers!  This is another one of those “not taught like this in CCNA” moments of discovering the ability to change masks on a per-bit basis!

So let’s have a little more fun here….  Summarize these in as few lines as possible:

207.49.164.0/24
208.49.164.0/24
205.49.165.0/24
207.49.165.0/24
192.49.164.0/24

Again, we have varying numbers in two different octets.  One extra step we can take while doing this in the lab (or practicing) is to use Notepad and the Windows Calculator to help.

Notepad is nice because it’s a proportional font, so things line up nicely.  By hand, it makes things uglier.  If your handwriting is anything like mine, after a while you can’t figure out where the heck your columns are supposed to be lining up!  The other cool part about Notepad is that you can cut and paste to rearrange the order, or put things to the side once you have them matched.

Otherwise, it’s all about binary.  The first octet:

192    11000000
205    11001101
207    11001111
208    11010000

Lots of bits of difference there.  Five of them to be exact.  And since 2^5 gives 32 matches, we know it’s not going to be that simple!   So start pairing and rearranging!

192    11000000
208    11010000

205    11001101
207    11001111

With those pairs, there’s only one bit different between them.  2^1 yields two matches only, so we’re good there!  Now, let’s look at those pairings with all numbers.  The 192 and 208 addresses match in the second and third octets, so we can remove them.  But we still have variety in the third octet:

164    10100100
165    10100101

Again, one bit of difference makes things nice, but here’s our quandary.  We have three items left to match, and no matter how we line things up, a single ACL entry cannot match all three with no extras or leftovers!  (3 is not an exponent of 2!)  So there will have to be an extra statement no matter how we slice things.

There are actually three different ways to solve this, which makes it very interesting to talk through!

Method 1:

access-list 22 permit 192.49.164.0 16.0.0.0
access-list 22 permit 205.49.165.0 0.0.0.0
access-list 22 permit 207.49.164.0 0.0.1.0

Method 2:

access-list 23 permit 192.49.164.0 16.0.0.0
access-list 23 permit 205.49.165.0 2.0.0.0
access-list 23 permit 207.49.164.0 0.0.0.0

Method 3:

access-list 24 permit 192.49.164.0 16.0.0.0
access-list 24 deny 205.49.164.0 0.0.0.0
access-list 24 permit 205.49.164.0 2.0.1.0

All of the methods give us three lines.  One does include a “deny” statement, if required.   Nice things though, and again, the bits-per-octet make no difference to the router!

Let’s look at one more.  Create an ACL in as few lines as possible to allow the hosts from these networks in:

182.17.77.0/24
182.81.77.0/24
190.17.73.0/24
190.81.73.0/24
190.81.77.0/24
182.17.73.0/24
182.81.73.0/24
190.17.77.0/24

You can also count on the idea that the numbers presented to you will NOT be in numerical order, so they are intentionally presented in a way that is not as simple to visualize!  (Another good idea to use Notepad!)

In this example, we have differences in THREE octets.  No fear though, right!  Same stuff, different example!  The rules have not changed.  Where’s the binary?

182    10110110
190    10111110

17    00010001
81    01010001

73    01001001
77    01001101

Notice that in each of the octets, there is only one bit that is different.  2^1 per octet gives us two matches, which is all we have.  More importantly, 2^3 (total of 3 bits in the entire 32-bit mask string) gives us eight matches, which is all we have listed in he task itself!  So we can do the whole thing in just one line!

access-list 25 permit 182.17.73.0 8.64.4.0

See, it wasn’t all that bad, was it?

There are some rules and things to make life a little easier….

You can visually look at a scenario and see what the best possible answer is just by the number of matches you need!

If you have eight entries to match, your best possible outcome is one line.   2^3 = 8, so if you find exactly three bits different in all of them, then that’s it!  Life doesn’t always work that way, but at least you know the minimum!

Likewise, if you have only six things to match, the best you can possibly do is two lines.  2^2 and 2^1.  Or deny 2^1 and permit 2^3.  Still two lines.  You get the idea.

Again, this is IF things work nicely with bit boundaries and stuff.  But at least you won’t have to stress out about “I wonder if I can get less lines than what I already have”!!!

On larger/longer examples, we can do some additional things to check this out.  Namely, the “network” or “binary starting point” will ALWAYS be your lowest matching value (in other words, ever place you have a “1″ in the mask, the router will put a “0″ value in that position).  To test your mask, type in the ACL with a middle/higher starting point.  As long as the mask is correct, when you look at “show run” or “show access-list” then you should see the starting point.

If you see something that doesn’t exist in your list, or is just entirely different…  Well…  You’ve messed something up!

Another quick check that we can do is to subtract.  When you subtract two numbers and the difference is an exponent of two, then that’s the bit that is different between them.

In the last example here:

190 – 182 = 8
81 – 17 = 64
77 – 73 = 4

And those were our mask values there.  Now, be careful since that doesn’t always work!  Particularly with “1″ being the difference.  If you cross a bit boundary, you’ll have problems.  Think about if our values were 7 and 8.  The difference is only 1, yet there are four bits different between those two!   But otherwise, it’s a nice shortcut to help quickly check things!

Working with binary really doesn’t have to be that scary or difficult!  When you are just getting used to this, it’s best to work with the binary and start to SEE things and patterns.  As you get more experienced, you’ll be able to do more of the math in your head.

Oh, one last thing….  If the lab makes you do one of these nice access-lists, try really hard NOT to forget to apply it someplace!

I figure with nine years gone by, it’s not really an NDA thing to say I had a difficult ACL on my lab exam.  And I wasn’t as good with binary back then, so it took almost an hour to figure out.  And I got it right.  But I found out that I didn’t get points for it which really irritated me, and I started to “discuss” it (this was back when we interacted more with the proctors) until the proctor very nicely pointed out to me that it WAS correct, but I forgot to apply it to an interface which makes it entirely useless.

DOH!    So don’t overlook the small stuff!  I hope this has helped a bit with all the binary voodoo magic.  In case you are still staring at the screen wondering why you would ever care about this….  Your router does!   If you have used or heard of Turbo ACLs, or Compiled Access Lists, it’s the same thing.  Your router does all of this logic in order to make the list smaller and more efficient.

The programmers were smart enough to NOT display the working ACL to users though!  TAC was not equipped to deal with brain implosions from users!

Here’s a few extra problems to make life a bit more interesting!

1.   You have hosts on 150.100.32.0/24.  Make sure the following addresses are not allowed to access any even-numbered server in the second-half of your IP range.  All other access should be allowed.

180.34.80.133
180.34.208.197
180.50.208.229
180.50.80.197
180.34.80.197
180.34.208.133
180.34.208.165
180.50.208.133
180.34.80.229
180.50.208.197
180.50.80.133
180.50.80.165
180.34.80.165
180.34.208.229
180.50.80.229
180.50.208.165

2.  For a routing filter, summarize these permissions in as few lines as possible:

19.55.4.0/24
19.55.5.0/24
19.55.12.0/24
19.55.13.0/24
79.55.4.0/24
79.56.4.0/24
79.55.20.0/24
79.56.20.0/24
83.55.4.0/24
83.55.5.0/24
83.55.12.0/24
83.55.13.0/24

3.  The following hosts should be allowed to telnet into your router:

132.130.1.16
132.194.1.16
132.130.1.17
132.194.1.17
132.130.1.19
132.194.1.19
132.130.1.24
132.194.1.24
132.130.1.25
132.194.1.25
132.130.1.26
132.194.1.26
132.130.1.27
132.194.1.27
124.130.1.16
124.194.1.16
124.130.1.17
124.194.1.17
124.130.1.19
124.194.1.19
124.130.1.24
124.194.1.24
124.130.1.25
124.194.1.25
124.130.1.26
124.194.1.26
124.130.1.27
124.194.1.27

Create an ACL to use as an access-class on the VTY ports.  Use as few lines as possible.  You must use two “deny” statements in your ACL.

132.130.1.18 (deny)
132.194.1.18 (deny)

124.130.1.18 (deny)
124.194.1.18 (deny)

4.  You have one router configured with a prefix-list in BGP:

ip prefix-list GoodRoutes permit 192.168.0.0/15 ge 20 le 24

You want the same information configured on a different router, but you need to integrate this with your existing BGP distribute-list.  Your current BGP distribute-list is:

access-list 44 permit 150.100.0.0 0.0.0.255
access-list 44 permit 150.100.1.0 0.0.0.255
access-list 44 permit 150.100.2.0 0.0.0.255
access-list 44 permit 150.100.3.0 0.0.0.255
access-list 44 permit 150.100.4.0 0.0.0.255
access-list 44 permit 150.100.5.0 0.0.0.255
access-list 44 permit 150.100.6.0 0.0.0.255
access-list 44 permit 150.100.7.0 0.0.0.255
access-list 44 permit 150.100.8.0 0.0.0.255
access-list 44 permit 150.100.9.0 0.0.0.255
access-list 44 permit 150.100.10.0 0.0.0.255
access-list 44 permit 150.100.11.0 0.0.0.255
access-list 44 permit 150.100.12.0 0.0.0.255
access-list 44 permit 150.100.13.0 0.0.0.255
access-list 44 permit 150.100.14.0 0.0.0.255
access-list 44 permit 150.100.15.0 0.0.0.255

Create a new BGP distribute-list in as few lines as possible.

So the contest part will begin again….  And hopefully will run more smoothly this time!    Again, a prize for the first person with ALL FOUR correct answers will receive 120 tokens, good for rack rental, mock labs, whatever….  Very useful stuff!

All comments for this will be withheld for 24 hours to allow the entertainment to ensue!  Good luck!!!

### 24 Responses to “Binary Math, Part II”

Question #1:-

deny 180.34.80.133 0.16.128.96 150.100.32.0 255.254.255.2555

Question #2:-

permit 19.55.4.0 0.0.1.0
permit 19.55.12.0 0.0.1.0

permit 79.55.4.0 0.0.16.0
permit 79.56.4.0 0.0.16.0

permit 83.55.4.0 0.0.1.0
permit 83.55.12.0 0.0.1.0

Question #3:-

permit 132.130.1.16 0.64.0.1
permit 132.130.1.24 0.64.0.3
permit 132.130.1.19 0.0.0.0

Question #4:-

permit 150.100.0.0 0.0.15.0

2. Jason DSouza says:

access-list 101 deny ip 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.126
access-list 101 permit ip any any

access-list 1 permit 19.55.4.0 64.0.9.255
access-list 1 permit 79.55.4.0 0.0.16.255
access-list 1 permit 79.56.4.0 0.0.16.255

access-list 1 deny 132.130.1.18 0.64.0.0
access-list 1 permit 132.130.1.16 0.64.0.3
access-list 1 permit 132.130.1.24 0.64.0.3
access-list 1 permit 132.130.1.17 0.64.0.2

access-list 1 deny 124.130.1.18 0.64.0.0
access-list 1 permit 124.130.1.16 0.64.0.3
access-list 1 permit 124.130.1.24 0.64.0.3
access-list 1 permit 124.130.1.17 0.64.0.2

line vty 0 4
access-class 1 in

ip prefix-list GoodRoutes permit 192.168.0.0/15 ge 20 le 24
ip prefix-list GoodRoutes permit 150.100.0.0/16 ge 20 le 24

3. Tomas Stellmach says:

1.
access-list 111 deny ip 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.126
access-list 111 permit ip any any

2.
access-list 2 permit 19.55.4.0 64.0.10.0
access-list 2 permit 79.55.4.0 0.0.16.0
access-list 2 permit 79.56.4.0 0.0.16.0

3.
access-list 10 deny 132.130.1.18 0.64.0.0
access-list 10 permit 132.130.1.16 0.64.0.11
access-list 10 deny 124.130.1.18 0.64.0.0
access-list 10 permit 124.130.1.16 0.64.0.11

4.
ip prefix-list GoodRoutes permit 192.168.0.0/15 ge 20 le 24
ip prefix-list GoodRoutes permit 150.100.0.0/16 ge 20 le 24

4. uri says:

[Q1]

deny 180.34.80.133 0.16.128.128 150.100.32.0 0.0.0.126
deny 180.34.80.165 0.16.128.64 150.100.32.0 0.0.0.126
permit 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

——————————–
[Q2]

permit 19.55.4.0 64.0.1.0
permit 19.55.12.0 64.0.1.0
permit 19.55.14.0 64.0.0.0

permit 19.56.4.0 64.0.1.0
permit 19.56.12.0 64.0.1.0
permit 19.56.14.0 64.0.0.0

——————————–
[Q3]

deny 124.130.1.18 0.64.0.0
permit 124.130.1.16 0.64.0.3
permit 124.130.1.24 0.64.0.3

deny 132.130.1.18 0.64.0.0
permit 132.130.1.16 0.64.0.3
permit 132.130.1.24 0.64.0.3

——————————–
[Q4]

access-list 44 permit 192.168.0.0 255.254.0.0 255.255.240.0 0.0.15.0

access-list 44 permit 150.100.0.0 255.255.240.0 255.255.255.0 0.0.0.0

——————————–

5. uri says:

Hmmm…. obvious correction:

[Q4]

access-list 44 permit 192.168.0.0 0.1.255.255 255.255.240.0 0.0.15.0
access-list 44 permit 150.100.0.0 0.0.15.255 255.255.255.0 0.0.0.0

————————————-

6. Patrick Donker says:

Q1.
access-list 100 deny ip 180.34.80.133 0.16.128.32 150.100.32.128 0.0.0.126
access-list 100 deny ip 180.34.80.197 0.16.128.32 150.100.32.128 0.0.0.126
access-list 100 permit ip any any
!

Q2.
access-list 100 permit ip 19.55.4.0 64.0.1.0 255.255.255.0 0.0.0.0
access-list 100 permit ip 19.55.12.0 64.0.1.0 255.255.255.0 0.0.0.0
access-list 100 permit ip 79.55.4.0 0.0.16.0 255.255.255.0 0.0.0.0
access-list 100 permit ip 79.56.4.0 0.0.16.0 255.255.255.0 0.0.0.0
!

Q3.
access-list 1 deny ip 124.130.1.18 0.64.0.0
access-list 1 deny ip 132.130.1.18 0.64.0.0
access-list 1 permit ip 124.130.1.16 8.64.0.3
access-list 1 permit ip 124.130.1.24 8.64.0.3

Q4.
ip prefix-list GoodRoutes permit 192.168.0.0/15 ge 20 le 24
ip prefix-list GoodRoutes permit 150.100.0.0/20 ge 24
!

7. Phil Guerin says:

Hi,

1) access-list 101 permit 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.129

2) access-list 1 permit 19.55.4.0 64.0.9.0
access-list 1 permit 79.55.4.0 0.0.16.0
access-list 1 permit 79.56.4.0 0.0.16.0

3) access-list 1 deny 124.130.1.18 0.64.0.0
access-list 1 permit 124.130.1.16 0.64.0.3
access-list 1 deny 132.130.1.18 0.64.0.0
access-list 1 permit 132.130.1.16 0.64.0.3

4) access-list 101 permit 192.168.0.0 0.1.255.255 255.255.240.0 0.0.15.0
access-list 101 permit 150.100.0.0 0.0.15.0 0.0.0.0 255.255.255.255

8. Andrei C. says:

Ok, I will try
1.
access-list 125 deny ip 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.126
access-list 125 permit ip any any

2.
ip prefix-list GoodRoutes permit 19.55.4.0 64.0.9.0
ip prefix-list GoodRoutes permit 79.55.4.0 0.1.16.0

3.
access-list 25 deny 132.130.1.18 0.64.0.0
access-list 25 deny 124.130.1.18 0.64.0.0
access-list 25 permit 132.130.16.0 0.64.11.0
access-list 25 permit 124.130.16.0 0.64.11.0

4.
access-list 44 permit 150.100.0.0 0.0.15.255
access-list 44 permit 192.168.0.0 0.0.15.255

BR,

9. Shaffeel says:

1. access-list 101 deny 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.2
2. access-list 101 permit 19.55.4.0 64.0.17.0
access-list 101 permit 79.55.4.0 0.0.17.0
access-list 101 permit 79.56.4.0 0.0.17.0
3. access-list 101 deny 124.130.1.18 0.64.0.0
access-list 101 deny 132.130.1.18 0.64.0.0
access-list 101 permit 124.130.1.16 0.34.0.31
access-list 101 permit 132.130.1.16 0.64.0.31
line vty 0 4
access-class 101 in
4. access-list 44 permit 150.100.0.0 92.205.15.0

10. Peter says:

Hi all,

I don’t think I am the first one but lets try the luck (and my knowledge

1.
access-list 100 deny ip 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.126
access-list 100 permit ip any any

2.
access-list 2 permit (deny) 19.55.4.0 64.0.9.255
access-list 2 permit (deny) 79.55.4.0 0.1.16.255

3.
access-list 3 deny 124.130.1.18 0.64.0.0
access-list 3 deny 132.130.1.18 0.64.0.0
(can be access-list 3 deny 124.130.1.18 8.64.0.0)
access-list 3 permit 124.130.1.16 8.64.0.11

4.
access-list 44 permit 150.100.0.0 0.0.15.255

Anyway, IMO this stuff is just to stress people a bit more and get some points off the score – very easy to make a mistake…

11. Gunnar says:

Q1
permit 180.34.80.133 0.16.128.96 150.100.32.0 0.0.0.254
deny 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.127
permit 180.34.80.133 0.16.128.96 150.100.32.0 0.0.0.255

Q2
19.55.4.0 0.0.1.0
19.55.12.0 0.0.1.0
79.55.4.0 0.1.0.0
79.55.20.0 0.1.0.0
83.55.4.0 0.0.1.0
83.55.12.0 0.0.1.0

Q3
deny 132.130.1.18 0.96.0.0
deny 124.130.1.18 0.96.0.0
permit 132.130.1.16 0.96.0.3
permit 132.130.1.24 0.96.0.3
permit 124.130.1.16 0.96.0.3
permit 124.130.1.24 0.96.0.3

Q4
access-list 44 permit 192.168.0.0 0.1.15.255
access-list 44 permit 150.100.0.0 0.0.15.255

12. Tolu Ogunsina says:

Question 1
access-list 100 deny ip 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.126

access-list 100 permit ip any any

Question 2.
access-list 10 permit 19.55.4.0 64.0.9.0
access-list 10 permit 79.55.4.0 0.0.16.0
access-list 10 permit 79.56.4.0 0.0.16.0

Question 3.
access-list 10 deny 132.130.1.18 0.64.0.0
access-list 10 permit 132.130.1.16 0.64.0.11
access-list 10 deny 124.130.1.18 0.64.0.0
access-list 10 permit 124.130.1.16 0.64.0.11

Question 4.
access-list 44 permit 150.100.0.0 0.0.15.255
access-list 44 permit 192.168.0.0 0.1.255.0

13. NTllect says:

deny ip 180.34.80.133 0.16.128.96 150.100.32.0 0.0.0.254
permit ip any any
permit 19.55.5.0 64.0.8.0
permit 3.55.4.0 64.0.16.0
permit 79.56.4.0 0.0.16.0
permit 4.130.1.16 248.64.0.10
permit 4.130.1.17 248.64.0.10
deny 4.130.1.18 248.0.0.0
deny 4.194.1.18 248.0.0.0
!
permit 150.100.0.0 0.0.15.255
permit 192.168.0.0 0.1.15.255

Nice stuff, Scott. BTW, I saw one comment

14. Pete says:

Tough one

Q1-
access-list 101 permit 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.126

Q2-
access-list 2 permit 19.55.4.0 64.0.9.0
access-list 2 permit 79.55.4.0 0.0.16.0
access-list 2 permit 79.56.4.0 0.0.16.0

Q3-
access-list 3 permit 124.130.1.16 0.64.0.11
access-list 3 permit 132.130.1.16 0.64.0.11
access-list 3 deny 124.130.1.18 0.64.0.0
access-list 3 deny 132.130.1.18 0.64.0.0

Q4-
access-list 104 permit 150.100.0.0 0.0.15.255 any
access-list 104 permit 192.168.0.0 0.1.0.0 255.255.240.0 0.0.15.0

Pete

15. Shai says:

hello

i cannot understand something – every example here have bunch of /24 subnets – yet all access-lists have .0 as the last octet – why is that ? shouldn’t it be .255 for all bits ?

P.S.
sorry if the answer was implied somewhere and i missed it somehow …

thanks
Shai

16. The contest part is now closed. Comments should be approved and appearing here.

Next I get to go through them all, and see who won!

I will also be posting the answers fairly shortly.

Scott

Dear Scott,

The solutions for the binary math2 brainteasers:

1. 1. You have hosts on 150.100.32.0/24. Make sure the following addresses are not allowed to access any even-numbered server in the second-half of your IP range. All other access should be allowed.

access-list 100 deny ip 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.126

access-list 100 permit ip any any

Explanation:

We have 16 ClassB addresses. First octet is the same for each. 2nd, 3rd, 4th octet differs.

We can create 4 piece of subnet-bundle with 4 subnet in each, where subnets have 3 octet in common:

1st group

180.34.80.133

180.34.80.165

180.34.80.197

180.34.80.229

2nd group

180.34.208.133

180.34.208.165

180.34.208.197

180.34.208.229

3rd group

180.50.80.133

180.50.80.165

180.50.80.197

180.50.80.229

4th group

180.50.208.133

180.50.208.165

180.50.208.197

180.50.208.229

3 different octets mean 3 places where we can summarize.

2nd octets are

34

50

In decimal.

2nd octets are

00100010

00110010

In binary

The bitstrings have 7 bits in common. Where bits are common, we „dont care” in the WC mask so bits will be 0.

The summarized bitstring is

00010000 in binary, that is 16 in decimal.

3rd octet are

80

208

In decimal

3rd octets are

01010000

11010000

In binary

The bitstrings have 7 bits in common. Where bits are common, we „dont care” in the WC mask so bits will be 0.

The summarized bitstring is

10000000

In binary, that is 128 in decimal.

4th octets are

133

165

197

229

In decimal

4th octet are

10000101

10100101

11000101

11100101

The bitstrings have 6 bits in common. Where bits are common, we „dont care” in the WC mask so bits will be 0.

The summarized bitstring is

01100000

In binary, that is 96 in decimal.

The first 8 address can be summarized as follows:

1st group

180.34.80.133

180.34.80.165

180.34.80.197

180.34.80.229

2nd group

180.34.208.133

180.34.208.165

180.34.208.197

180.34.208.229

First two octet are common so WC mask will be 0.

Third octet are 80 and 208. These can covered with WC mask 128.

4th octets can be covered with WC mask 96.

The summarization of the 8 addresses is 180.34.80.133 0.0.128.96

The second 8 address can be summarized as follows:

1st group

180.50.80.133

180.50.80.165

180.50.80.197

180.50.80.229

2nd group

180.50.208.133

180.50.208.165

180.50.208.197

180.50.208.229

First two octet are common so WC mask will be 0.

Third octet are 80 and 208. These can covered with WC mask 128.

4th octets can be covered with WC mask 96.

The summarization of the 8 addresses is 180.50.80.133 0.0.128.96

The first and the second summarizations:

180.34.80.133 0.0.128.96

180.50.80.133 0.0.128.96

Only the second octets are different, and can be covered with WC mask 16 (as explained earlier)

So the full summarization of source addresses is:

180.34.80.133 0.16.128.96

180.34.80.133

180.34.80.165

180.34.80.197

180.34.80.229

180.34.208.133

180.34.208.165

180.34.208.197

180.34.208.229

180.50.80.133

180.50.80.165

180.50.80.197

180.50.80.229

180.50.208.133

180.50.208.165

180.50.208.197

180.50.208.229

3 octets differ.

We can summarize all of them.

34 00100010

50 00110010

– - – - – - – - – - – - – - – -

WC 00010000 = 16 in decimal

80 01010000

208 11010000

– - – - – - – - – - – - – - – -

WC 10000000 = 128 in decimal

133 10000101

165 10100101

197 11000101

229 11100101

– - – - – - – - – - – - – - – -

WC 01100000 = 96 in decimal

180.34.80.133

180.34.80.165

180.34.80.197

180.34.80.229

Summarized as 180.34.80.133 0.0.0.96

180.34.208.133

180.34.208.165

180.34.208.197

180.34.208.229

Summarized as 180.34.208.133 0.0.0.96

180.50.80.133

180.50.80.165

180.50.80.197

180.50.80.229

Summarized as 180.50.80.133 0.0.0.96

180.50.208.133

180.50.208.165

180.50.208.197

180.50.208.229

Summarized as 180.50.208.133 0.0.0.96

180.34.80.133 0.0.0.96 and 180.34.208.133 0.0.0.96 can be further summarized as 180.34.80.133 0.0.128.96 (summarizing the 3rd octets).

180.50.80.133 0.0.0.96 and 180.50.208.133 0.0.0.96 can be further summarized as 180.50.80.133 0.0.128.96 (summarizing the 3rd octets).

180.34.80.133 0.0.128.96 and 180.50.80.133 0.0.128.96 can be further summarized, summarizing the 2nd octets: 180.34.80.133 0.16.128.96

Destination addresses are 150.100.32.128 – 150.100.32.254 in the 150.100.32.0/24 subnet

The last octet of these addresses:

10000000

10000010

10000100

11111110

The most significant bits are always 1 the leasts are always 0. Common bits are 0 in the WC mask, so WC mask will be 01111110 in binary, 126 in decimal. The even-numbered servers in upper half of the subnet 150.100.32.0/24 are covered with 150.100.32.128 0.0.0.126

The access-list will be:

access-list 100 deny ip 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.126

access-list 100 permit ip any any

access-list 90 permit 19.55.4.0 64.0.9.0

access-list 90 permit 79.55.4.0 0.0.16.0

access-list 90 permit 79.56.4.0 0.0.16.0

Expl.

19.55.4.0/24

19.55.5.0/24

19.55.12.0/24

19.55.13.0/24

4 00000100

5 00000101

12 00001100

13 00001101

- – - – - – - – - – - – -

WC 00001001

These 4 networks can be summarized as 19.55.4.0 0.0.9.0

83.55.4.0/24

83.55.5.0/24

83.55.12.0/24

83.55.13.0/24

4 00000100

5 00000101

12 00001100

13 00001101

- – - – - – - – - – - – -

WC 00001001

These 4 networks can be summarized as 83.55.4.0 0.0.9.0

The 2 summarized networks are

19.55.4.0 0.0.9.0

83.55.4.0 0.0.9.0

Only the first octet differs. Can be summarized:

19 00010011

83 01010011

– - – - – - – - – - – - –

WC 01000000 = 64 in decimal

So we can further summarize as: 19.55.4.0 64.0.9.0

79.55.4.0/24

79.55.20.0/24

3rd octet differs, we can summarize as follows:

4 00000100

20 00010100

– - – - – - – - – - – - –

WC 00010000 = 16 in decimal

So we can summarize as: 79.55.4.0 0.0.16.0

79.56.4.0/24

79.56.20.0/24

Same.

We can summarize as: 79.56.4.0 0.0.16.0

55 00110111

56 00111000

– - – - – - – - – - – - –

WC 00001111 = 15 decimal, well-known mask, would overlap several networks

55 and 56 cannot be summarized without overlapping other networks.

So the final summarization is:

access-list 90 permit 19.55.4.0 64.0.9.0

access-list 90 permit 79.55.4.0 0.0.16.0

access-list 90 permit 79.56.4.0 0.0.16.0

3. The following hosts should be allowed to telnet into your router:

132.130.1.16
132.194.1.16
132.130.1.17
132.194.1.17
132.130.1.19
132.194.1.19
132.130.1.24
132.194.1.24
132.130.1.25
132.194.1.25
132.130.1.26
132.194.1.26
132.130.1.27
132.194.1.27
124.130.1.16
124.194.1.16
124.130.1.17
124.194.1.17
124.130.1.19
124.194.1.19
124.130.1.24
124.194.1.24
124.130.1.25
124.194.1.25
124.130.1.26
124.194.1.26
124.130.1.27
124.194.1.27

Create an ACL to use as an access-class on the VTY ports. Use as few lines as possible. You must use two “deny” statements in your ACL.

132.130.1.18 (deny)
132.194.1.18 (deny)

124.130.1.18 (deny)
124.194.1.18 (deny)

Solution:

access-list 77 deny 124.130.1.18 0.64.0.0

access-list 77 deny 132.130.1.18 0.64.0.0

access-list 77 permit 124.130.1.16 0.64.0.11

access-list 77 permit 132.130.1.16 0.64.0.11

Explanation:

First octets are 124 and 132

Second octets 130 and 194

Third octet are always 1

Fourth octets are 16,17,19,24,25,26,27

124 01111100

132 10000100

– - – - – - – - – - – - – - – -

WC 11111000 = 248 in decimal but would overlap several networks (addresses)

130 10000010

194 11000010

– - – - – - – - – - – - – - – -

WC 01000000 = 64 in decimal

16 00010000

17 00010001

18 00010010 —— WE WILL OVERLAP 18 ! and filter it later

19 00010011

– - – - – - – - – - – - – - – -

WC 00000011 = 3 in decimal

24 00011000

25 00011001

26 00011010

27 00011011

- – - – - – - – - – - – - – - –

WC 00000011 = 3 in decimal

130 and 194 on the 2nd octet will be summarized with WC mask 64.

124.130.1.16

124.130.1.17

124.130.1.18 (overlapped)

124.130.1.19

Summarized as 124.130.1.16 0.64.0.3

124.130.1.24

124.130.1.25

124.130.1.26

124.130.1.27

Summarized as 124.130.1.24 0.64.0.3

132.130.1.16

132.130.1.17

132.130.1.18 (overlapped)

132.130.1.19

Summarized as 132.130.1.16 0.64.0.3

132.130.1.24

132.130.1.25

132.130.1.26

132.130.1.27

Summarized as 132.130.1.24 0.64.0.3

124.130.1.16 0.64.0.3 and 124.130.1.24 0.64.0.3 can be further summarized as 124.130.1.16 0.64.0.11 because

16 00010000

17 00010001

18 00010010 —— WE WILL OVERLAP 18 ! and filter it later

19 00010011

24 00011000

25 00011001

26 00011010

27 00011011

- – - – - – - – - – - – - – - –

WC 00001011 = 11 in decimal

132.130.1.16 0.64.0.3 and 132.130.1.24 0.64.0.3 can be further summarized as 132.130.1.16 0.64.0.11

The final summarization will be:

124.130.1.16 0.64.0.11

132.130.1.16 0.64.0.11

124.130.1.18

124.194.1.18

132.130.1.18

132.194.1.18

These addresses should be summarized and denied by the ACL.

These can summarized as follows:

124.130.1.18 0.64.0.0

132.130.1.18 0.64.0.0

The access-list will be:

access-list 77 deny 124.130.1.18 0.64.0.0

access-list 77 deny 132.130.1.18 0.64.0.0

access-list 77 permit 124.130.1.16 0.64.0.11

access-list 77 permit 132.130.1.16 0.64.0.11

4. You have one router configured with a prefix-list in BGP:

ip prefix-list GoodRoutes permit 192.168.0.0/15 ge 20 le 24

You want the same information configured on a different router, but you need to integrate this with your existing BGP distribute-list. Your current BGP distribute-list is:

access-list 44 permit 150.100.0.0 0.0.0.255
access-list 44 permit 150.100.1.0 0.0.0.255
access-list 44 permit 150.100.2.0 0.0.0.255
access-list 44 permit 150.100.3.0 0.0.0.255
access-list 44 permit 150.100.4.0 0.0.0.255
access-list 44 permit 150.100.5.0 0.0.0.255
access-list 44 permit 150.100.6.0 0.0.0.255
access-list 44 permit 150.100.7.0 0.0.0.255
access-list 44 permit 150.100.8.0 0.0.0.255
access-list 44 permit 150.100.9.0 0.0.0.255
access-list 44 permit 150.100.10.0 0.0.0.255
access-list 44 permit 150.100.11.0 0.0.0.255
access-list 44 permit 150.100.12.0 0.0.0.255
access-list 44 permit 150.100.13.0 0.0.0.255
access-list 44 permit 150.100.14.0 0.0.0.255
access-list 44 permit 150.100.15.0 0.0.0.255

Create a new BGP distribute-list in as few lines as possible.

The 16 existing networks can be summarized as

access-list 44 permit 150.100.0.0 0.0.15.0

The prefix-list

ip prefix-list GoodRoutes permit 192.168.0.0/15 ge 20 le 24

means the 15 most significant bits must match , the 16th bit can be 0 or 1, so the second octet can be 168 or 169.

The prefix-list covers /20 /21 /22 /23 and /24 networks.

/24 networks:

192.168.0.0/24 — 192.169.255.0/24 These can be covered with 192.168.0.0 0.1.255.0

/23 networks:

192.168.0.0/23 — 192.169.254.0/23 These can be covered with 192.168.0.0 0.1.254.0

/22 networks:

192.168.0.0/22 — 192.169.252.0/24 These can be covered with 192.168.0.0 0.1.252.0

/21 networks:

192.168.0.0/21 — 192.169.248.0/21 These can be covered with 192.168.0.0 0.1.248.0

/20 networks:

192.168.0.0/22 — 192.169.240.0/22 These can be covered with 192.168.0.0 0.0.240.0

Access-list matching logic differs from prefix-list matching logic: only exact matches count.

So these networks cannot be summarized further.

The new final ACL will be:

access-list 44 permit 150.100.0.0 0.0.15.0

access-list 44 permit 192.168.0.0 0.1.255.0

access-list 44 permit 192.168.0.0 0.1.254.0

access-list 44 permit 192.168.0.0 0.1.252.0

access-list 44 permit 192.168.0.0 0.1.248.0

access-list 44 permit 192.168.0.0 0.1.240.0

Best regards,

Csaba KISS
Email: csaba.kiss@nextiraone.hu

18. Rafał Dworaczek says:

My solutions

Question 1:
deny ip 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.126
permit ip any any

Question 2:
permit 50 ip 19.55.4.0 64.0.9.0
permit 50 ip 79.55.4.0 0.0.16.0
permit 50 ip 79.56.4.0 0.0.16.0

19. [...] Know your binary voodoo,  PartI & PartII. [...]

20. Bhuvanesh says:

Hi,

is there any practice book available for such wonderful stuff to be stronger on this part?

Because it needs more practice to be on tips..

Brgds
Bhuvanesh Rajput

• Wow – we have not seen a CCIE Prep book that really goes into this!

21. [...] dissected the subject of Summarization using different methods. I learnt alot. They were great! http://blog.ine.com/2008/11/03/binary-math-part-ii/ http://blog.ine.com/2010/03/17/a-simple-ipv4-prefix-summarization-procedure/ I decided to compare [...]

22. [...] subject of Summarization using different methods. I learnt > alot. They were great! > > http://blog.ine.com/2008/11/03/binary-math-part-ii/ > > > http://blog.ine.com/2010/03/17/a-simple-ipv4-prefix-summarization-procedure/ > [...]