is there any practice book available for such wonderful stuff to be stronger on this part?

Because it needs more practice to be on tips..

Brgds
Bhuvanesh Rajput

Question 1:
deny ip 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.126
permit ip any any

Question 2:
permit 50 ip 19.55.4.0 64.0.9.0
permit 50 ip 79.55.4.0 0.0.16.0
permit 50 ip 79.56.4.0 0.0.16.0

Dear Scott,

The solutions for the binary math2 brainteasers:

1. 1. You have hosts on 150.100.32.0/24. Make sure the following addresses are not allowed to access any even-numbered server in the second-half of your IP range. All other access should be allowed.

access-list 100 deny ip 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.126

access-list 100 permit ip any any

Explanation:

Summarizing the source addresses:

We have 16 ClassB addresses. First octet is the same for each. 2nd, 3rd, 4th octet differs.

We can create 4 piece of subnet-bundle with 4 subnet in each, where subnets have 3 octet in common:

1st group

180.34.80.133

180.34.80.165

180.34.80.197

180.34.80.229

2nd group

180.34.208.133

180.34.208.165

180.34.208.197

180.34.208.229

3rd group

180.50.80.133

180.50.80.165

180.50.80.197

180.50.80.229

4th group

180.50.208.133

180.50.208.165

180.50.208.197

180.50.208.229

3 different octets mean 3 places where we can summarize.

2nd octets are

34

50

In decimal.

2nd octets are

00100010

00110010

In binary

The bitstrings have 7 bits in common. Where bits are common, we „dont care” in the WC mask so bits will be 0.

The summarized bitstring is

00010000 in binary, that is 16 in decimal.

3rd octet are

80

208

In decimal

3rd octets are

01010000

11010000

In binary

The bitstrings have 7 bits in common. Where bits are common, we „dont care” in the WC mask so bits will be 0.

The summarized bitstring is

10000000

In binary, that is 128 in decimal.

4th octets are

133

165

197

229

In decimal

4th octet are

10000101

10100101

11000101

11100101

The bitstrings have 6 bits in common. Where bits are common, we „dont care” in the WC mask so bits will be 0.

The summarized bitstring is

01100000

In binary, that is 96 in decimal.

The first 8 address can be summarized as follows:

1st group

180.34.80.133

180.34.80.165

180.34.80.197

180.34.80.229

2nd group

180.34.208.133

180.34.208.165

180.34.208.197

180.34.208.229

First two octet are common so WC mask will be 0.

Third octet are 80 and 208. These can covered with WC mask 128.

4th octets can be covered with WC mask 96.

The summarization of the 8 addresses is 180.34.80.133 0.0.128.96

The second 8 address can be summarized as follows:

1st group

180.50.80.133

180.50.80.165

180.50.80.197

180.50.80.229

2nd group

180.50.208.133

180.50.208.165

180.50.208.197

180.50.208.229

First two octet are common so WC mask will be 0.

Third octet are 80 and 208. These can covered with WC mask 128.

4th octets can be covered with WC mask 96.

The summarization of the 8 addresses is 180.50.80.133 0.0.128.96

The first and the second summarizations:

180.34.80.133 0.0.128.96

180.50.80.133 0.0.128.96

Only the second octets are different, and can be covered with WC mask 16 (as explained earlier)

So the full summarization of source addresses is:

180.34.80.133 0.16.128.96

180.34.80.133

180.34.80.165

180.34.80.197

180.34.80.229

180.34.208.133

180.34.208.165

180.34.208.197

180.34.208.229

180.50.80.133

180.50.80.165

180.50.80.197

180.50.80.229

180.50.208.133

180.50.208.165

180.50.208.197

180.50.208.229

3 octets differ.

We can summarize all of them.

34 00100010

50 00110010

– - – - – - – - – - – - – - – -

WC 00010000 = 16 in decimal

80 01010000

208 11010000

– - – - – - – - – - – - – - – -

WC 10000000 = 128 in decimal

133 10000101

165 10100101

197 11000101

229 11100101

– - – - – - – - – - – - – - – -

WC 01100000 = 96 in decimal

180.34.80.133

180.34.80.165

180.34.80.197

180.34.80.229

Summarized as 180.34.80.133 0.0.0.96

180.34.208.133

180.34.208.165

180.34.208.197

180.34.208.229

Summarized as 180.34.208.133 0.0.0.96

180.50.80.133

180.50.80.165

180.50.80.197

180.50.80.229

Summarized as 180.50.80.133 0.0.0.96

180.50.208.133

180.50.208.165

180.50.208.197

180.50.208.229

Summarized as 180.50.208.133 0.0.0.96

180.34.80.133 0.0.0.96 and 180.34.208.133 0.0.0.96 can be further summarized as 180.34.80.133 0.0.128.96 (summarizing the 3rd octets).

180.50.80.133 0.0.0.96 and 180.50.208.133 0.0.0.96 can be further summarized as 180.50.80.133 0.0.128.96 (summarizing the 3rd octets).

180.34.80.133 0.0.128.96 and 180.50.80.133 0.0.128.96 can be further summarized, summarizing the 2nd octets: 180.34.80.133 0.16.128.96

Destination addresses are 150.100.32.128 – 150.100.32.254 in the 150.100.32.0/24 subnet

The last octet of these addresses:

10000000

10000010

10000100

…

11111110

The most significant bits are always 1 the leasts are always 0. Common bits are 0 in the WC mask, so WC mask will be 01111110 in binary, 126 in decimal. The even-numbered servers in upper half of the subnet 150.100.32.0/24 are covered with 150.100.32.128 0.0.0.126

The access-list will be:

access-list 100 deny ip 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.126

access-list 100 permit ip any any

2. Second task

access-list 90 permit 19.55.4.0 64.0.9.0

access-list 90 permit 79.55.4.0 0.0.16.0

access-list 90 permit 79.56.4.0 0.0.16.0

Expl.

19.55.4.0/24

19.55.5.0/24

19.55.12.0/24

19.55.13.0/24

4 00000100

5 00000101

12 00001100

13 00001101

- – - – - – - – - – - – -

WC 00001001

These 4 networks can be summarized as 19.55.4.0 0.0.9.0

83.55.4.0/24

83.55.5.0/24

83.55.12.0/24

83.55.13.0/24

4 00000100

5 00000101

12 00001100

13 00001101

- – - – - – - – - – - – -

WC 00001001

These 4 networks can be summarized as 83.55.4.0 0.0.9.0

The 2 summarized networks are

19.55.4.0 0.0.9.0

83.55.4.0 0.0.9.0

Only the first octet differs. Can be summarized:

19 00010011

83 01010011

– - – - – - – - – - – - –

WC 01000000 = 64 in decimal

So we can further summarize as: 19.55.4.0 64.0.9.0

79.55.4.0/24

79.55.20.0/24

3rd octet differs, we can summarize as follows:

4 00000100

20 00010100

– - – - – - – - – - – - –

WC 00010000 = 16 in decimal

So we can summarize as: 79.55.4.0 0.0.16.0

79.56.4.0/24

79.56.20.0/24

Same.

We can summarize as: 79.56.4.0 0.0.16.0

55 00110111

56 00111000

– - – - – - – - – - – - –

WC 00001111 = 15 decimal, well-known mask, would overlap several networks

55 and 56 cannot be summarized without overlapping other networks.

So the final summarization is:

access-list 90 permit 19.55.4.0 64.0.9.0

access-list 90 permit 79.55.4.0 0.0.16.0

access-list 90 permit 79.56.4.0 0.0.16.0

3. The following hosts should be allowed to telnet into your router:

132.130.1.16
132.194.1.16
132.130.1.17
132.194.1.17
132.130.1.19
132.194.1.19
132.130.1.24
132.194.1.24
132.130.1.25
132.194.1.25
132.130.1.26
132.194.1.26
132.130.1.27
132.194.1.27
124.130.1.16
124.194.1.16
124.130.1.17
124.194.1.17
124.130.1.19
124.194.1.19
124.130.1.24
124.194.1.24
124.130.1.25
124.194.1.25
124.130.1.26
124.194.1.26
124.130.1.27
124.194.1.27

Create an ACL to use as an access-class on the VTY ports. Use as few lines as possible. You must use two “deny” statements in your ACL.

132.130.1.18 (deny)
132.194.1.18 (deny)

124.130.1.18 (deny)
124.194.1.18 (deny)

Solution:

access-list 77 deny 124.130.1.18 0.64.0.0

access-list 77 deny 132.130.1.18 0.64.0.0

access-list 77 permit 124.130.1.16 0.64.0.11

access-list 77 permit 132.130.1.16 0.64.0.11

Explanation:

First octets are 124 and 132

Second octets 130 and 194

Third octet are always 1

Fourth octets are 16,17,19,24,25,26,27

124 01111100

132 10000100

– - – - – - – - – - – - – - – -

WC 11111000 = 248 in decimal but would overlap several networks (addresses)

130 10000010

194 11000010

– - – - – - – - – - – - – - – -

WC 01000000 = 64 in decimal

16 00010000

17 00010001

18 00010010 —— WE WILL OVERLAP 18 ! and filter it later

19 00010011

– - – - – - – - – - – - – - – -

WC 00000011 = 3 in decimal

24 00011000

25 00011001

26 00011010

27 00011011

- – - – - – - – - – - – - – - –

WC 00000011 = 3 in decimal

130 and 194 on the 2nd octet will be summarized with WC mask 64.

124.130.1.16

124.130.1.17

124.130.1.18 (overlapped)

124.130.1.19

Summarized as 124.130.1.16 0.64.0.3

124.130.1.24

124.130.1.25

124.130.1.26

124.130.1.27

Summarized as 124.130.1.24 0.64.0.3

132.130.1.16

132.130.1.17

132.130.1.18 (overlapped)

132.130.1.19

Summarized as 132.130.1.16 0.64.0.3

132.130.1.24

132.130.1.25

132.130.1.26

132.130.1.27

Summarized as 132.130.1.24 0.64.0.3

124.130.1.16 0.64.0.3 and 124.130.1.24 0.64.0.3 can be further summarized as 124.130.1.16 0.64.0.11 because

16 00010000

17 00010001

18 00010010 —— WE WILL OVERLAP 18 ! and filter it later

19 00010011

24 00011000

25 00011001

26 00011010

27 00011011

- – - – - – - – - – - – - – - –

WC 00001011 = 11 in decimal

132.130.1.16 0.64.0.3 and 132.130.1.24 0.64.0.3 can be further summarized as 132.130.1.16 0.64.0.11

The final summarization will be:

124.130.1.16 0.64.0.11

132.130.1.16 0.64.0.11

We have overlapped 4 addresses

124.130.1.18

124.194.1.18

132.130.1.18

132.194.1.18

These addresses should be summarized and denied by the ACL.

These can summarized as follows:

124.130.1.18 0.64.0.0

132.130.1.18 0.64.0.0

The access-list will be:

access-list 77 deny 124.130.1.18 0.64.0.0

access-list 77 deny 132.130.1.18 0.64.0.0

access-list 77 permit 124.130.1.16 0.64.0.11

access-list 77 permit 132.130.1.16 0.64.0.11

4. You have one router configured with a prefix-list in BGP:

ip prefix-list GoodRoutes permit 192.168.0.0/15 ge 20 le 24

You want the same information configured on a different router, but you need to integrate this with your existing BGP distribute-list. Your current BGP distribute-list is:

access-list 44 permit 150.100.0.0 0.0.0.255
access-list 44 permit 150.100.1.0 0.0.0.255
access-list 44 permit 150.100.2.0 0.0.0.255
access-list 44 permit 150.100.3.0 0.0.0.255
access-list 44 permit 150.100.4.0 0.0.0.255
access-list 44 permit 150.100.5.0 0.0.0.255
access-list 44 permit 150.100.6.0 0.0.0.255
access-list 44 permit 150.100.7.0 0.0.0.255
access-list 44 permit 150.100.8.0 0.0.0.255
access-list 44 permit 150.100.9.0 0.0.0.255
access-list 44 permit 150.100.10.0 0.0.0.255
access-list 44 permit 150.100.11.0 0.0.0.255
access-list 44 permit 150.100.12.0 0.0.0.255
access-list 44 permit 150.100.13.0 0.0.0.255
access-list 44 permit 150.100.14.0 0.0.0.255
access-list 44 permit 150.100.15.0 0.0.0.255

Create a new BGP distribute-list in as few lines as possible.

The 16 existing networks can be summarized as

access-list 44 permit 150.100.0.0 0.0.15.0

The prefix-list

ip prefix-list GoodRoutes permit 192.168.0.0/15 ge 20 le 24

means the 15 most significant bits must match , the 16th bit can be 0 or 1, so the second octet can be 168 or 169.

The prefix-list covers /20 /21 /22 /23 and /24 networks.

/24 networks:

192.168.0.0/24 — 192.169.255.0/24 These can be covered with 192.168.0.0 0.1.255.0

/23 networks:

192.168.0.0/23 — 192.169.254.0/23 These can be covered with 192.168.0.0 0.1.254.0

/22 networks:

192.168.0.0/22 — 192.169.252.0/24 These can be covered with 192.168.0.0 0.1.252.0

/21 networks:

192.168.0.0/21 — 192.169.248.0/21 These can be covered with 192.168.0.0 0.1.248.0

/20 networks:

192.168.0.0/22 — 192.169.240.0/22 These can be covered with 192.168.0.0 0.0.240.0

Access-list matching logic differs from prefix-list matching logic: only exact matches count.

So these networks cannot be summarized further.

The new final ACL will be:

access-list 44 permit 150.100.0.0 0.0.15.0

access-list 44 permit 192.168.0.0 0.1.255.0

access-list 44 permit 192.168.0.0 0.1.254.0

access-list 44 permit 192.168.0.0 0.1.252.0

access-list 44 permit 192.168.0.0 0.1.248.0

access-list 44 permit 192.168.0.0 0.1.240.0

Best regards,

Csaba KISS
Email: csaba.kiss@nextiraone.hu

Next I get to go through them all, and see who won!

I will also be posting the answers fairly shortly.

Scott

i cannot understand something – every example here have bunch of /24 subnets – yet all access-lists have .0 as the last octet – why is that ? shouldn’t it be .255 for all bits ?

P.S.
sorry if the answer was implied somewhere and i missed it somehow …

thanks
Shai