Nov
03

I know, I know...  I promised this a while back, after I did the first part.  Sorry 'bout that!

So we've played around a bit with the access-list idea and some binary matching.  So let's expand our brains even further!

I will start out by telling everyone that I am NOT picking on or otherwise attempting to insult any CCNA's out there by comparing methodology to what is learned in CCNA.  The idea being that there are basic and advanced ways to learn things.

When we all first learned fractions, if anyone attempted to explain more advanced methods of long division, or finite state mathematics, or anything we now consider to be "basic algebra", plain and simple....  our brains would have imploded!  It wouldn't have been pretty at all.

There is a time and a place for everything.  When first beginning as a CCNA, the concept of "network" and "network mask" and wonderful subnets on standard bit-boundaries is good.  It's a starting point.  Just realize that it isn't the end point, and as CCIE Candidates, we need to see beyond those initial learning steps in order to succeed!  If you have stumbled across these blogs, and are still a CCNA, my sincere apologies as I did not mean to offend!  (And my apologies for any induced-brain-implosions!)

Now, all those legal disclaimers aside, it's time to move up a notch in Binary Math.  We're still counting to one, we're just doing it with more finesse now!  So let's start with our first problem for Part II.

Summarize these in as few lines as possible:

168.192.3.0/24
168.192.14.0/24
168.208.11.0/24
168.208.14.0/24
168.208.3.0/24
168.192.11.0/24

Our expansion and brain-freeze difficulty here is that we have differences in two different octets.  Well, I've got one for ya!  Who cares!?!?  The router doesn't.

Let me go out on a limb here and say that ALL access lists in our routers are essentially operating in the exact same fashion.  Now, don't go getting all sulky on me and tell me how they can't all be the same because they're different protocols.  I know that!  :)

But LOGICALLY, it's the same process.  A 200-series ACL is for ethertypes.  They are represented in hexadecimal (for our benefit since ethertype values are routinely expressed in hex).  But the router sees a starting string of 16 bits, and a mask of 16 bits to go with it.

The standard or exteneded IP ACLs are for IP addresses as we all know.  They are expressed in dotted decimal for OUR benefit.  The router sees a string of 32 bits and a mask of 32 bits.

An 800 series ACL is for IPX.  Again, expressed in hexadecimal for our benefit.  The router sees a starting string of 80 bits and a mask of 80 bits.

An IPv6 ACL is the same thing, only with 128 bits starting strings and masks!!!

You get the idea here.  Same #$*&# different ACL!  So that idea of the difference being in different octets. The router doesn't see it that way.  So get it out of your head!  Octet boundaries should make no difference to a CCIE Candidate!  That period is just a bump on the road of learning!

Anyway, enough sophomoric digression here...  Let's look at the binary.

Second octet:

192    11000000
208    11010000

There's only one bit of difference, so we can definitely summarize!  Even if we didn't look any further, we can reduce these to three lines now.

access-list 21 permit 168.192.3.0 0.16.0.0
access-list 21 permit 168.192.11.0 0.16.0.0
access-list 21 permit 168.192.14.0 0.16.0.0

And that would work nicely.  So let's look at the third octet:

3    00000011
11    00001011
14    00001110

Well, we end up with three bits of difference there (in the 1-bit, 4-bit and 8-bit positions).  2^3 will give us eight matches here.  That's not cool.  Only three.  Look more closely at them individually.  14 is really the one that "doesn't belong" or doesn't fit well in the group.  So treat it separately!

Between 3 and 11, there's only one bit of difference (2^1 = 2 matches).  So look at this in conjunction with what we did above.

access-list 21 permit 168.192.3.0 0.16.8.0
access-list 21 permit 168.192.14.0 0.16.0.0

The first line matches four of our original networks, and the second line matches two.  And the fact that the bits are in difference octets only bothers us, not the routers!  This is another one of those "not taught like this in CCNA" moments of discovering the ability to change masks on a per-bit basis!

So let's have a little more fun here....  Summarize these in as few lines as possible:

207.49.164.0/24
208.49.164.0/24
205.49.165.0/24
207.49.165.0/24
192.49.164.0/24

Again, we have varying numbers in two different octets.  One extra step we can take while doing this in the lab (or practicing) is to use Notepad and the Windows Calculator to help.

Notepad is nice because it's a proportional font, so things line up nicely.  By hand, it makes things uglier.  If your handwriting is anything like mine, after a while you can't figure out where the heck your columns are supposed to be lining up!  The other cool part about Notepad is that you can cut and paste to rearrange the order, or put things to the side once you have them matched.

Otherwise, it's all about binary.  The first octet:

192    11000000
205    11001101
207    11001111
208    11010000

Lots of bits of difference there.  Five of them to be exact.  And since 2^5 gives 32 matches, we know it's not going to be that simple!   So start pairing and rearranging!

192    11000000
208    11010000

205    11001101
207    11001111

With those pairs, there's only one bit different between them.  2^1 yields two matches only, so we're good there!  Now, let's look at those pairings with all numbers.  The 192 and 208 addresses match in the second and third octets, so we can remove them.  But we still have variety in the third octet:

164    10100100
165    10100101

Again, one bit of difference makes things nice, but here's our quandary.  We have three items left to match, and no matter how we line things up, a single ACL entry cannot match all three with no extras or leftovers!  (3 is not an exponent of 2!)  So there will have to be an extra statement no matter how we slice things.

There are actually three different ways to solve this, which makes it very interesting to talk through!

Method 1:

access-list 22 permit 192.49.164.0 16.0.0.0
access-list 22 permit 205.49.165.0 0.0.0.0
access-list 22 permit 207.49.164.0 0.0.1.0

Method 2:

access-list 23 permit 192.49.164.0 16.0.0.0
access-list 23 permit 205.49.165.0 2.0.0.0
access-list 23 permit 207.49.164.0 0.0.0.0

Method 3:

access-list 24 permit 192.49.164.0 16.0.0.0
access-list 24 deny 205.49.164.0 0.0.0.0
access-list 24 permit 205.49.164.0 2.0.1.0

All of the methods give us three lines.  One does include a "deny" statement, if required.   Nice things though, and again, the bits-per-octet make no difference to the router!

Let's look at one more.  Create an ACL in as few lines as possible to allow the hosts from these networks in:

182.17.77.0/24
182.81.77.0/24
190.17.73.0/24
190.81.73.0/24
190.81.77.0/24
182.17.73.0/24
182.81.73.0/24
190.17.77.0/24

You can also count on the idea that the numbers presented to you will NOT be in numerical order, so they are intentionally presented in a way that is not as simple to visualize!  (Another good idea to use Notepad!)

In this example, we have differences in THREE octets.  No fear though, right!  Same stuff, different example!  The rules have not changed.  Where's the binary?

182    10110110
190    10111110

17    00010001
81    01010001

73    01001001
77    01001101

Notice that in each of the octets, there is only one bit that is different.  2^1 per octet gives us two matches, which is all we have.  More importantly, 2^3 (total of 3 bits in the entire 32-bit mask string) gives us eight matches, which is all we have listed in he task itself!  So we can do the whole thing in just one line!

access-list 25 permit 182.17.73.0 8.64.4.0

See, it wasn't all that bad, was it?

There are some rules and things to make life a little easier....

You can visually look at a scenario and see what the best possible answer is just by the number of matches you need!

If you have eight entries to match, your best possible outcome is one line.   2^3 = 8, so if you find exactly three bits different in all of them, then that's it!  Life doesn't always work that way, but at least you know the minimum!

Likewise, if you have only six things to match, the best you can possibly do is two lines.  2^2 and 2^1.  Or deny 2^1 and permit 2^3.  Still two lines.  You get the idea.

Again, this is IF things work nicely with bit boundaries and stuff.  But at least you won't have to stress out about "I wonder if I can get less lines than what I already have"!!!

On larger/longer examples, we can do some additional things to check this out.  Namely, the "network" or "binary starting point" will ALWAYS be your lowest matching value (in other words, ever place you have a "1" in the mask, the router will put a "0" value in that position).  To test your mask, type in the ACL with a middle/higher starting point.  As long as the mask is correct, when you look at "show run" or "show access-list" then you should see the starting point.

If you see something that doesn't exist in your list, or is just entirely different...  Well...  You've messed something up!  :)

Another quick check that we can do is to subtract.  When you subtract two numbers and the difference is an exponent of two, then that's the bit that is different between them.

In the last example here:

190 - 182 = 8
81 - 17 = 64
77 - 73 = 4

And those were our mask values there.  Now, be careful since that doesn't always work!  Particularly with "1" being the difference.  If you cross a bit boundary, you'll have problems.  Think about if our values were 7 and 8.  The difference is only 1, yet there are four bits different between those two!   But otherwise, it's a nice shortcut to help quickly check things!

Working with binary really doesn't have to be that scary or difficult!  When you are just getting used to this, it's best to work with the binary and start to SEE things and patterns.  As you get more experienced, you'll be able to do more of the math in your head.

Oh, one last thing....  If the lab makes you do one of these nice access-lists, try really hard NOT to forget to apply it someplace!  ;)

I figure with nine years gone by, it's not really an NDA thing to say I had a difficult ACL on my lab exam.  And I wasn't as good with binary back then, so it took almost an hour to figure out.  And I got it right.  But I found out that I didn't get points for it which really irritated me, and I started to "discuss" it (this was back when we interacted more with the proctors) until the proctor very nicely pointed out to me that it WAS correct, but I forgot to apply it to an interface which makes it entirely useless.

DOH!    So don't overlook the small stuff!  I hope this has helped a bit with all the binary voodoo magic.  In case you are still staring at the screen wondering why you would ever care about this....  Your router does!   If you have used or heard of Turbo ACLs, or Compiled Access Lists, it's the same thing.  Your router does all of this logic in order to make the list smaller and more efficient.

The programmers were smart enough to NOT display the working ACL to users though!  TAC was not equipped to deal with brain implosions from users!   :)

Here's a few extra problems to make life a bit more interesting!

1.   You have hosts on 150.100.32.0/24.  Make sure the following addresses are not allowed to access any even-numbered server in the second-half of your IP range.  All other access should be allowed.

180.34.80.133
180.34.208.197
180.50.208.229
180.50.80.197
180.34.80.197
180.34.208.133
180.34.208.165
180.50.208.133
180.34.80.229
180.50.208.197
180.50.80.133
180.50.80.165
180.34.80.165
180.34.208.229
180.50.80.229
180.50.208.165

2.  For a routing filter, summarize these permissions in as few lines as possible:

19.55.4.0/24
19.55.5.0/24
19.55.12.0/24
19.55.13.0/24
79.55.4.0/24
79.56.4.0/24
79.55.20.0/24
79.56.20.0/24
83.55.4.0/24
83.55.5.0/24
83.55.12.0/24
83.55.13.0/24

3.  The following hosts should be allowed to telnet into your router:

132.130.1.16
132.194.1.16
132.130.1.17
132.194.1.17
132.130.1.19
132.194.1.19
132.130.1.24
132.194.1.24
132.130.1.25
132.194.1.25
132.130.1.26
132.194.1.26
132.130.1.27
132.194.1.27
124.130.1.16
124.194.1.16
124.130.1.17
124.194.1.17
124.130.1.19
124.194.1.19
124.130.1.24
124.194.1.24
124.130.1.25
124.194.1.25
124.130.1.26
124.194.1.26
124.130.1.27
124.194.1.27

Create an ACL to use as an access-class on the VTY ports.  Use as few lines as possible.  You must use two "deny" statements in your ACL.

132.130.1.18 (deny)
132.194.1.18 (deny)

124.130.1.18 (deny)
124.194.1.18 (deny)

4.  You have one router configured with a prefix-list in BGP:

ip prefix-list GoodRoutes permit 192.168.0.0/15 ge 20 le 24

You want the same information configured on a different router, but you need to integrate this with your existing BGP distribute-list.  Your current BGP distribute-list is:

access-list 44 permit 150.100.0.0 0.0.0.255
access-list 44 permit 150.100.1.0 0.0.0.255
access-list 44 permit 150.100.2.0 0.0.0.255
access-list 44 permit 150.100.3.0 0.0.0.255
access-list 44 permit 150.100.4.0 0.0.0.255
access-list 44 permit 150.100.5.0 0.0.0.255
access-list 44 permit 150.100.6.0 0.0.0.255
access-list 44 permit 150.100.7.0 0.0.0.255
access-list 44 permit 150.100.8.0 0.0.0.255
access-list 44 permit 150.100.9.0 0.0.0.255
access-list 44 permit 150.100.10.0 0.0.0.255
access-list 44 permit 150.100.11.0 0.0.0.255
access-list 44 permit 150.100.12.0 0.0.0.255
access-list 44 permit 150.100.13.0 0.0.0.255
access-list 44 permit 150.100.14.0 0.0.0.255
access-list 44 permit 150.100.15.0 0.0.0.255

Create a new BGP distribute-list in as few lines as possible.

So the contest part will begin again....  And hopefully will run more smoothly this time!  :)  Again, a prize for the first person with ALL FOUR correct answers will receive 120 tokens, good for rack rental, mock labs, whatever....  Very useful stuff!

All comments for this will be withheld for 24 hours to allow the entertainment to ensue!  Good luck!!!

INE Instructor
About INE Instructor

Subscribe to INE Blog Updates