Answers for Part II

So the answers to the exciting tasks at hand....

There was a good amount of activity surrounding answers submitted for the contest!  It was good to see that many people interested in them!  Now, it's time to go through the answers and stretch the imagination a bit!  Be prepared for some stretching as well!

One quick thing to point out before we get started, there was a question asked about why /24 routes won't have a ".255" as the fourth octet.  This really depends on how we are using the ACL.  If we are doing traffic filtering, where packets will obviously come from hosts INSIDE the /24, then yes, I'd use a ".255" mask.

However, when the entry is being used for a routing filter, and it's a /24 route...  The fourth octet will, by definition, always be ".0" and shouldn't be changed.  So the mask of ".0" prevents anything from changing!

Now...  On to the answers!

1.  Now, there are a total of 16 things we're trying to match.  So in the best of worlds, we can do this in a single line (because it's an exponent of two), but if and ONLY IF we find a total of four bits different across the entire 32-bit address.  So let's solve it.

Where do we have differences?  All over the place!  So let's isolate them.

2nd octet:

34    00100010
50    00110010

Only the 16-bit position is different here.  (mask of 00010000)  This could have been discovered by the subtraction method!

3rd octet:

80    01010000
208    11010000

Only the 128-bit position is different here.  (mask of 10000000)  This could have been discovered by the subtraction method!

4th octet:

133    10000101
165    10100101
197    11000101
229    11100101

It's a little more difficult to use the subtraction method here as well!   But we discover that there are only two bits of difference here, in the 64-bit position and the 32-bit position. (mask of 01100000)

So we DO have a total of four bits across these numbers.  Cool.  One line, right?

But go back to re-read the question.  There's more to it than that!  The even-numbered bits of the SECOND-HALF of a /24.  Now that's just plain evil!

So numbers from 128-254, and only the even ones.  Now we've done the even numbered thing before.  That's a mask of ".254" (11111110) with the starting point of .0...  But here we want only the second half.  So what else is consistent in even numbers OVER 128?  (hint:  the 128-bit position!)

access-list 101 deny ip
access-list 101 permit ip any any

And we'll assume that the access-list is either applied inbound on a WAN link, or outbound on our LAN link!

2.   Pure summarization now.  But there's only 12 lines listed.  That doesn't work out as nicely for single-line summarization!  The best we'll be able to do is two lines.  but let's work through the details.

First octet:

19 00010011
79 01001111
83 01010011

Second octet:

55 00110111
56 00111000

Third octet:

4 00000100
5 00000101
12 00001010
13 00001011
20 00010100

Yeah, now all of a sudden that two-line solution isn't looking nearly as possible!  So let's start isolating.  (Divide and conquer)

Really our consideration will be with the 19 and 83 address sets.  They each have 4, 5, 12 and 13 in the third octet.  The 79 addresses are completely different in the third octet.

First octet:

19    00010011
83    01010011

One bit of difference there in the 64-bit position.  (mask = 01000000)  This could be solved with subtraction.

Third octet:

4    00000100
5    00000101
12    00001100
13    00001101

While we can't really do the subtraction method here, at least there's only two bits of difference here.  (mask = 00001001)  These eight values can be summarized in a single line.  Three bits of difference (2^3 = 8 matches).

access-list 2 permit

Now, the 79-series of addresses.

Second octet:

55    00110111
56    00111000

Lots of differences here (four bits) so we'll be treating these separately.

Third octet:


Why bother with the math?  Just subtract!  :)  Only the 16-bit position changes.  (mask = 00010000)

access-list 2 permit

So our entire solution:

access-list 2 permit
access-list 2 permit
access-list 2 permit

Hey!  Look!  Two lines.   But it seemed so ugly for a while!  We use ".0" for the fourth octet because we were told this ACL is for routing updates.  /24's in a routing update will always have .0 as the fourth octet!

3.  Ooooo..   A big, long, ugly looking one!  Well...  If we count them, there's only 28 lines.  That's definitely not going to solve in one line!  Best we can do there is three lines (16 + 8 + 4).  Hmmmmm.  Time to look at binary!

First octet:

124    01111100
132    10000100

Yeah...  That's not going to happen.  Five bits of difference will get 32 matches.  :)  Even though the subtraction method says "8" is the difference, since we cross a bit-boundary (128), all bets are off!

Second octet:

130    10000010
194    11000010

This is easier!  There's one bit of difference between these two.  (mask = 01000000)  This could be solved via subtraction.

The third octet is all ".1".  So that brings us to the fourth octet:

16    00010000
17    00010001
19    00010011
24    00011000
25    00011001
26    00011010
27    00011011

That's just plain ugly now.  There are actually three bits of difference in there, but one very important piece to note.  18 is missing from the list, so it's not all contiguous that way.

But wait...  The task actually says we need to include "18" as a deny specifically!  So therefore we CAN count it.  Once we do that, three bits of difference makes things work (2^3 = 8 matches).

So let's put it together now.

access-list 3 deny
access-list 3 deny
access-list 3 permit
access-list 3 permit

line vty 0 15  (optional for grading)
access-class 3 in (optional for grading)

4.  Now we need to first convert a prefix-list into an access-list.  THEN we need to look at the existing access-list and somehow integrate the two together.  Isn't this just pleasant.

This not only tests you on your knowledge of access-lists and binary functions, but also on your knowledge of BGP distribute-lists!  See, our issue is that the current distribute list only looks at /24 information.  And not necessarily very well, but that's the intent.  Our prefix-list looks at many mask lengths from /20, /21, /22, /23 and /24!

BGP distribute-lists can use an extended ACL to match the mask information as well!  Oh boy will this be fun.  Actually, it's not nearly as bad as it looks!

With the prefix list, our binary starting point is all the same.  This is in "regular ACL" masking.  The masks we are looking for are:

So really, we're matching on third octet values:

240    11110000
248    11111000
252    11111100
254    11111110
255    11111111

So the last four bits, I really don't care what the values are.  Wait.  If we come up with a mask of 00001111 (15), what happens when we're presented with a value of 247?  Wouldn't that match?

Sure, technically it would match the mask we create.  But fortunately for us, there's no way in reality we're going to ever see a mask like that!  Route masking can only be done on bit boundaries!   So reality versus technical possibility (e.g. fantasy) are two completely different ideas!

access-list 104 permit

Now, we have to look at the remaining values.  These should be easier as it's just a summarization question.

Third octet:

0    00000000
1    00000001
2    00000010
3    00000011
4    00000100
5    00000101
6    00000110
7    00000111
8    00001000
9    00001001
10    00001010
11    00001011
12    00001100
13    00001101
14    00001110
15    00001111

Again, the masking will be 00001111 (.15).

access-list 104 permit

So our whole ACL:

access-list 104 permit
access-list 104 permit

Well...  That was fun.  I will tell you, it was likely much more entertaining for me than it was for you.  But good stuff.  If nothing else, getting through these exercises, and having them actually make some semblance of sense to you, there's NOTHING that the CCIE Lab can come up with that will scare you!

It's good to be evil.  :)

See the Comments here for the list of winners!

About INE

INE is the premier provider of technical training for the IT industry. INE is revolutionizing the digital learning industry through the implementation of adaptive technologies and a proven method of hands on training experiences. Our portfolio of trainings is built for all levels of technical learning, specializing in advanced networking technologies, next generation security and infrastructure programming and development. Want to talk to a training advisor about our course offerings and training plans? Give us a call at 877-224-8987 or email us at

Subscribe to INE Blog Updates

New Blog Posts!