Nov
05

Answers for Part II

So the answers to the exciting tasks at hand....

There was a good amount of activity surrounding answers submitted for the contest!  It was good to see that many people interested in them!  Now, it's time to go through the answers and stretch the imagination a bit!  Be prepared for some stretching as well!

One quick thing to point out before we get started, there was a question asked about why /24 routes won't have a ".255" as the fourth octet.  This really depends on how we are using the ACL.  If we are doing traffic filtering, where packets will obviously come from hosts INSIDE the /24, then yes, I'd use a ".255" mask.

However, when the entry is being used for a routing filter, and it's a /24 route...  The fourth octet will, by definition, always be ".0" and shouldn't be changed.  So the mask of ".0" prevents anything from changing!

Now...  On to the answers!

1.  Now, there are a total of 16 things we're trying to match.  So in the best of worlds, we can do this in a single line (because it's an exponent of two), but if and ONLY IF we find a total of four bits different across the entire 32-bit address.  So let's solve it.

Where do we have differences?  All over the place!  So let's isolate them.

2nd octet:

34    00100010
50    00110010

Only the 16-bit position is different here.  (mask of 00010000)  This could have been discovered by the subtraction method!

3rd octet:

80    01010000
208    11010000

Only the 128-bit position is different here.  (mask of 10000000)  This could have been discovered by the subtraction method!

4th octet:

133    10000101
165    10100101
197    11000101
229    11100101

It's a little more difficult to use the subtraction method here as well!   But we discover that there are only two bits of difference here, in the 64-bit position and the 32-bit position. (mask of 01100000)

So we DO have a total of four bits across these numbers.  Cool.  One line, right?

But go back to re-read the question.  There's more to it than that!  The even-numbered bits of the SECOND-HALF of a /24.  Now that's just plain evil!

So numbers from 128-254, and only the even ones.  Now we've done the even numbered thing before.  That's a mask of ".254" (11111110) with the starting point of .0...  But here we want only the second half.  So what else is consistent in even numbers OVER 128?  (hint:  the 128-bit position!)

access-list 101 deny ip 180.34.80.133 0.16.128.96 150.100.32.128 0.0.0.126
access-list 101 permit ip any any

And we'll assume that the access-list is either applied inbound on a WAN link, or outbound on our LAN link!

2.   Pure summarization now.  But there's only 12 lines listed.  That doesn't work out as nicely for single-line summarization!  The best we'll be able to do is two lines.  but let's work through the details.

First octet:

19 00010011
79 01001111
83 01010011

Second octet:

55 00110111
56 00111000

Third octet:

4 00000100
5 00000101
12 00001010
13 00001011
20 00010100

Yeah, now all of a sudden that two-line solution isn't looking nearly as possible!  So let's start isolating.  (Divide and conquer)

Really our consideration will be with the 19 and 83 address sets.  They each have 4, 5, 12 and 13 in the third octet.  The 79 addresses are completely different in the third octet.

First octet:

19    00010011
83    01010011

One bit of difference there in the 64-bit position.  (mask = 01000000)  This could be solved with subtraction.

Third octet:

4    00000100
5    00000101
12    00001100
13    00001101

While we can't really do the subtraction method here, at least there's only two bits of difference here.  (mask = 00001001)  These eight values can be summarized in a single line.  Three bits of difference (2^3 = 8 matches).

access-list 2 permit 19.55.4.0 64.0.9.0

Now, the 79-series of addresses.

Second octet:

55    00110111
56    00111000

Lots of differences here (four bits) so we'll be treating these separately.

Third octet:

4
20

Why bother with the math?  Just subtract!  :)  Only the 16-bit position changes.  (mask = 00010000)

access-list 2 permit 79.55.4.0 0.0.16.0

So our entire solution:

access-list 2 permit 19.55.4.0 64.0.9.0
access-list 2 permit 79.55.4.0 0.0.16.0
access-list 2 permit 79.56.4.0 0.0.16.0

Hey!  Look!  Two lines.   But it seemed so ugly for a while!  We use ".0" for the fourth octet because we were told this ACL is for routing updates.  /24's in a routing update will always have .0 as the fourth octet!

3.  Ooooo..   A big, long, ugly looking one!  Well...  If we count them, there's only 28 lines.  That's definitely not going to solve in one line!  Best we can do there is three lines (16 + 8 + 4).  Hmmmmm.  Time to look at binary!

First octet:

124    01111100
132    10000100

Yeah...  That's not going to happen.  Five bits of difference will get 32 matches.  :)  Even though the subtraction method says "8" is the difference, since we cross a bit-boundary (128), all bets are off!

Second octet:

130    10000010
194    11000010

This is easier!  There's one bit of difference between these two.  (mask = 01000000)  This could be solved via subtraction.

The third octet is all ".1".  So that brings us to the fourth octet:

16    00010000
17    00010001
19    00010011
24    00011000
25    00011001
26    00011010
27    00011011

That's just plain ugly now.  There are actually three bits of difference in there, but one very important piece to note.  18 is missing from the list, so it's not all contiguous that way.

But wait...  The task actually says we need to include "18" as a deny specifically!  So therefore we CAN count it.  Once we do that, three bits of difference makes things work (2^3 = 8 matches).

So let's put it together now.

access-list 3 deny 124.130.1.18 0.64.0.0
access-list 3 deny 132.130.1.18 0.64.0.0
access-list 3 permit 124.130.1.16 0.64.0.11
access-list 3 permit 132.130.1.16 0.64.0.11

line vty 0 15  (optional for grading)
access-class 3 in (optional for grading)

4.  Now we need to first convert a prefix-list into an access-list.  THEN we need to look at the existing access-list and somehow integrate the two together.  Isn't this just pleasant.

This not only tests you on your knowledge of access-lists and binary functions, but also on your knowledge of BGP distribute-lists!  See, our issue is that the current distribute list only looks at /24 information.  And not necessarily very well, but that's the intent.  Our prefix-list looks at many mask lengths from /20, /21, /22, /23 and /24!

BGP distribute-lists can use an extended ACL to match the mask information as well!  Oh boy will this be fun.  Actually, it's not nearly as bad as it looks!

With the prefix list, our binary starting point is all the same.  192.168.0.0/15.  This is 192.168.0.0 0.1.255.255 in "regular ACL" masking.  The masks we are looking for are:

255.255.240.0
255.255.248.0
255.255.252.0
255.255.254.0
255.255.255.0

So really, we're matching on third octet values:

240    11110000
248    11111000
252    11111100
254    11111110
255    11111111

So the last four bits, I really don't care what the values are.  Wait.  If we come up with a mask of 00001111 (15), what happens when we're presented with a value of 247?  Wouldn't that match?

Sure, technically it would match the mask we create.  But fortunately for us, there's no way in reality we're going to ever see a mask like that!  Route masking can only be done on bit boundaries!   So reality versus technical possibility (e.g. fantasy) are two completely different ideas!

access-list 104 permit 192.168.0.0 0.1.255.255 255.255.240.0 0.0.15.0

Now, we have to look at the remaining values.  These should be easier as it's just a summarization question.

Third octet:

0    00000000
1    00000001
2    00000010
3    00000011
4    00000100
5    00000101
6    00000110
7    00000111
8    00001000
9    00001001
10    00001010
11    00001011
12    00001100
13    00001101
14    00001110
15    00001111

Again, the masking will be 00001111 (.15).

access-list 104 permit 150.100.0.0 0.0.15.0 255.255.255.0 0.0.0.0

So our whole ACL:

access-list 104 permit 192.168.0.0 0.1.255.255 255.255.240.0 0.0.15.0
access-list 104 permit 150.100.0.0 0.0.15.0 255.255.255.0 0.0.0.0

Well...  That was fun.  I will tell you, it was likely much more entertaining for me than it was for you.  But good stuff.  If nothing else, getting through these exercises, and having them actually make some semblance of sense to you, there's NOTHING that the CCIE Lab can come up with that will scare you!

It's good to be evil.  :)

See the Comments here for the list of winners!

Nov
03

I know, I know...  I promised this a while back, after I did the first part.  Sorry 'bout that!

So we've played around a bit with the access-list idea and some binary matching.  So let's expand our brains even further!

I will start out by telling everyone that I am NOT picking on or otherwise attempting to insult any CCNA's out there by comparing methodology to what is learned in CCNA.  The idea being that there are basic and advanced ways to learn things.

When we all first learned fractions, if anyone attempted to explain more advanced methods of long division, or finite state mathematics, or anything we now consider to be "basic algebra", plain and simple....  our brains would have imploded!  It wouldn't have been pretty at all.

There is a time and a place for everything.  When first beginning as a CCNA, the concept of "network" and "network mask" and wonderful subnets on standard bit-boundaries is good.  It's a starting point.  Just realize that it isn't the end point, and as CCIE Candidates, we need to see beyond those initial learning steps in order to succeed!  If you have stumbled across these blogs, and are still a CCNA, my sincere apologies as I did not mean to offend!  (And my apologies for any induced-brain-implosions!)

Now, all those legal disclaimers aside, it's time to move up a notch in Binary Math.  We're still counting to one, we're just doing it with more finesse now!  So let's start with our first problem for Part II.

Summarize these in as few lines as possible:

168.192.3.0/24
168.192.14.0/24
168.208.11.0/24
168.208.14.0/24
168.208.3.0/24
168.192.11.0/24

Our expansion and brain-freeze difficulty here is that we have differences in two different octets.  Well, I've got one for ya!  Who cares!?!?  The router doesn't.

Let me go out on a limb here and say that ALL access lists in our routers are essentially operating in the exact same fashion.  Now, don't go getting all sulky on me and tell me how they can't all be the same because they're different protocols.  I know that!  :)

But LOGICALLY, it's the same process.  A 200-series ACL is for ethertypes.  They are represented in hexadecimal (for our benefit since ethertype values are routinely expressed in hex).  But the router sees a starting string of 16 bits, and a mask of 16 bits to go with it.

The standard or exteneded IP ACLs are for IP addresses as we all know.  They are expressed in dotted decimal for OUR benefit.  The router sees a string of 32 bits and a mask of 32 bits.

An 800 series ACL is for IPX.  Again, expressed in hexadecimal for our benefit.  The router sees a starting string of 80 bits and a mask of 80 bits.

An IPv6 ACL is the same thing, only with 128 bits starting strings and masks!!!

You get the idea here.  Same #$*&# different ACL!  So that idea of the difference being in different octets. The router doesn't see it that way.  So get it out of your head!  Octet boundaries should make no difference to a CCIE Candidate!  That period is just a bump on the road of learning!

Anyway, enough sophomoric digression here...  Let's look at the binary.

Second octet:

192    11000000
208    11010000

There's only one bit of difference, so we can definitely summarize!  Even if we didn't look any further, we can reduce these to three lines now.

access-list 21 permit 168.192.3.0 0.16.0.0
access-list 21 permit 168.192.11.0 0.16.0.0
access-list 21 permit 168.192.14.0 0.16.0.0

And that would work nicely.  So let's look at the third octet:

3    00000011
11    00001011
14    00001110

Well, we end up with three bits of difference there (in the 1-bit, 4-bit and 8-bit positions).  2^3 will give us eight matches here.  That's not cool.  Only three.  Look more closely at them individually.  14 is really the one that "doesn't belong" or doesn't fit well in the group.  So treat it separately!

Between 3 and 11, there's only one bit of difference (2^1 = 2 matches).  So look at this in conjunction with what we did above.

access-list 21 permit 168.192.3.0 0.16.8.0
access-list 21 permit 168.192.14.0 0.16.0.0

The first line matches four of our original networks, and the second line matches two.  And the fact that the bits are in difference octets only bothers us, not the routers!  This is another one of those "not taught like this in CCNA" moments of discovering the ability to change masks on a per-bit basis!

So let's have a little more fun here....  Summarize these in as few lines as possible:

207.49.164.0/24
208.49.164.0/24
205.49.165.0/24
207.49.165.0/24
192.49.164.0/24

Again, we have varying numbers in two different octets.  One extra step we can take while doing this in the lab (or practicing) is to use Notepad and the Windows Calculator to help.

Notepad is nice because it's a proportional font, so things line up nicely.  By hand, it makes things uglier.  If your handwriting is anything like mine, after a while you can't figure out where the heck your columns are supposed to be lining up!  The other cool part about Notepad is that you can cut and paste to rearrange the order, or put things to the side once you have them matched.

Otherwise, it's all about binary.  The first octet:

192    11000000
205    11001101
207    11001111
208    11010000

Lots of bits of difference there.  Five of them to be exact.  And since 2^5 gives 32 matches, we know it's not going to be that simple!   So start pairing and rearranging!

192    11000000
208    11010000

205    11001101
207    11001111

With those pairs, there's only one bit different between them.  2^1 yields two matches only, so we're good there!  Now, let's look at those pairings with all numbers.  The 192 and 208 addresses match in the second and third octets, so we can remove them.  But we still have variety in the third octet:

164    10100100
165    10100101

Again, one bit of difference makes things nice, but here's our quandary.  We have three items left to match, and no matter how we line things up, a single ACL entry cannot match all three with no extras or leftovers!  (3 is not an exponent of 2!)  So there will have to be an extra statement no matter how we slice things.

There are actually three different ways to solve this, which makes it very interesting to talk through!

Method 1:

access-list 22 permit 192.49.164.0 16.0.0.0
access-list 22 permit 205.49.165.0 0.0.0.0
access-list 22 permit 207.49.164.0 0.0.1.0

Method 2:

access-list 23 permit 192.49.164.0 16.0.0.0
access-list 23 permit 205.49.165.0 2.0.0.0
access-list 23 permit 207.49.164.0 0.0.0.0

Method 3:

access-list 24 permit 192.49.164.0 16.0.0.0
access-list 24 deny 205.49.164.0 0.0.0.0
access-list 24 permit 205.49.164.0 2.0.1.0

All of the methods give us three lines.  One does include a "deny" statement, if required.   Nice things though, and again, the bits-per-octet make no difference to the router!

Let's look at one more.  Create an ACL in as few lines as possible to allow the hosts from these networks in:

182.17.77.0/24
182.81.77.0/24
190.17.73.0/24
190.81.73.0/24
190.81.77.0/24
182.17.73.0/24
182.81.73.0/24
190.17.77.0/24

You can also count on the idea that the numbers presented to you will NOT be in numerical order, so they are intentionally presented in a way that is not as simple to visualize!  (Another good idea to use Notepad!)

In this example, we have differences in THREE octets.  No fear though, right!  Same stuff, different example!  The rules have not changed.  Where's the binary?

182    10110110
190    10111110

17    00010001
81    01010001

73    01001001
77    01001101

Notice that in each of the octets, there is only one bit that is different.  2^1 per octet gives us two matches, which is all we have.  More importantly, 2^3 (total of 3 bits in the entire 32-bit mask string) gives us eight matches, which is all we have listed in he task itself!  So we can do the whole thing in just one line!

access-list 25 permit 182.17.73.0 8.64.4.0

See, it wasn't all that bad, was it?

There are some rules and things to make life a little easier....

You can visually look at a scenario and see what the best possible answer is just by the number of matches you need!

If you have eight entries to match, your best possible outcome is one line.   2^3 = 8, so if you find exactly three bits different in all of them, then that's it!  Life doesn't always work that way, but at least you know the minimum!

Likewise, if you have only six things to match, the best you can possibly do is two lines.  2^2 and 2^1.  Or deny 2^1 and permit 2^3.  Still two lines.  You get the idea.

Again, this is IF things work nicely with bit boundaries and stuff.  But at least you won't have to stress out about "I wonder if I can get less lines than what I already have"!!!

On larger/longer examples, we can do some additional things to check this out.  Namely, the "network" or "binary starting point" will ALWAYS be your lowest matching value (in other words, ever place you have a "1" in the mask, the router will put a "0" value in that position).  To test your mask, type in the ACL with a middle/higher starting point.  As long as the mask is correct, when you look at "show run" or "show access-list" then you should see the starting point.

If you see something that doesn't exist in your list, or is just entirely different...  Well...  You've messed something up!  :)

Another quick check that we can do is to subtract.  When you subtract two numbers and the difference is an exponent of two, then that's the bit that is different between them.

In the last example here:

190 - 182 = 8
81 - 17 = 64
77 - 73 = 4

And those were our mask values there.  Now, be careful since that doesn't always work!  Particularly with "1" being the difference.  If you cross a bit boundary, you'll have problems.  Think about if our values were 7 and 8.  The difference is only 1, yet there are four bits different between those two!   But otherwise, it's a nice shortcut to help quickly check things!

Working with binary really doesn't have to be that scary or difficult!  When you are just getting used to this, it's best to work with the binary and start to SEE things and patterns.  As you get more experienced, you'll be able to do more of the math in your head.

Oh, one last thing....  If the lab makes you do one of these nice access-lists, try really hard NOT to forget to apply it someplace!  ;)

I figure with nine years gone by, it's not really an NDA thing to say I had a difficult ACL on my lab exam.  And I wasn't as good with binary back then, so it took almost an hour to figure out.  And I got it right.  But I found out that I didn't get points for it which really irritated me, and I started to "discuss" it (this was back when we interacted more with the proctors) until the proctor very nicely pointed out to me that it WAS correct, but I forgot to apply it to an interface which makes it entirely useless.

DOH!    So don't overlook the small stuff!  I hope this has helped a bit with all the binary voodoo magic.  In case you are still staring at the screen wondering why you would ever care about this....  Your router does!   If you have used or heard of Turbo ACLs, or Compiled Access Lists, it's the same thing.  Your router does all of this logic in order to make the list smaller and more efficient.

The programmers were smart enough to NOT display the working ACL to users though!  TAC was not equipped to deal with brain implosions from users!   :)

Here's a few extra problems to make life a bit more interesting!

1.   You have hosts on 150.100.32.0/24.  Make sure the following addresses are not allowed to access any even-numbered server in the second-half of your IP range.  All other access should be allowed.

180.34.80.133
180.34.208.197
180.50.208.229
180.50.80.197
180.34.80.197
180.34.208.133
180.34.208.165
180.50.208.133
180.34.80.229
180.50.208.197
180.50.80.133
180.50.80.165
180.34.80.165
180.34.208.229
180.50.80.229
180.50.208.165

2.  For a routing filter, summarize these permissions in as few lines as possible:

19.55.4.0/24
19.55.5.0/24
19.55.12.0/24
19.55.13.0/24
79.55.4.0/24
79.56.4.0/24
79.55.20.0/24
79.56.20.0/24
83.55.4.0/24
83.55.5.0/24
83.55.12.0/24
83.55.13.0/24

3.  The following hosts should be allowed to telnet into your router:

132.130.1.16
132.194.1.16
132.130.1.17
132.194.1.17
132.130.1.19
132.194.1.19
132.130.1.24
132.194.1.24
132.130.1.25
132.194.1.25
132.130.1.26
132.194.1.26
132.130.1.27
132.194.1.27
124.130.1.16
124.194.1.16
124.130.1.17
124.194.1.17
124.130.1.19
124.194.1.19
124.130.1.24
124.194.1.24
124.130.1.25
124.194.1.25
124.130.1.26
124.194.1.26
124.130.1.27
124.194.1.27

Create an ACL to use as an access-class on the VTY ports.  Use as few lines as possible.  You must use two "deny" statements in your ACL.

132.130.1.18 (deny)
132.194.1.18 (deny)

124.130.1.18 (deny)
124.194.1.18 (deny)

4.  You have one router configured with a prefix-list in BGP:

ip prefix-list GoodRoutes permit 192.168.0.0/15 ge 20 le 24

You want the same information configured on a different router, but you need to integrate this with your existing BGP distribute-list.  Your current BGP distribute-list is:

access-list 44 permit 150.100.0.0 0.0.0.255
access-list 44 permit 150.100.1.0 0.0.0.255
access-list 44 permit 150.100.2.0 0.0.0.255
access-list 44 permit 150.100.3.0 0.0.0.255
access-list 44 permit 150.100.4.0 0.0.0.255
access-list 44 permit 150.100.5.0 0.0.0.255
access-list 44 permit 150.100.6.0 0.0.0.255
access-list 44 permit 150.100.7.0 0.0.0.255
access-list 44 permit 150.100.8.0 0.0.0.255
access-list 44 permit 150.100.9.0 0.0.0.255
access-list 44 permit 150.100.10.0 0.0.0.255
access-list 44 permit 150.100.11.0 0.0.0.255
access-list 44 permit 150.100.12.0 0.0.0.255
access-list 44 permit 150.100.13.0 0.0.0.255
access-list 44 permit 150.100.14.0 0.0.0.255
access-list 44 permit 150.100.15.0 0.0.0.255

Create a new BGP distribute-list in as few lines as possible.

So the contest part will begin again....  And hopefully will run more smoothly this time!  :)  Again, a prize for the first person with ALL FOUR correct answers will receive 120 tokens, good for rack rental, mock labs, whatever....  Very useful stuff!

All comments for this will be withheld for 24 hours to allow the entertainment to ensue!  Good luck!!!

Subscribe to INE Blog Updates

New Blog Posts!