http://blog.internetworkexpert.com Helping you become a Cisco Certified Internetwork Expert Wed, 14 May 2008 19:12:45 +0000 http://backend.userland.com/rss092 en Hi Brian, Can we use NBAR on the gateway router to prevent internal users from watching video streams from any video web site (like Youtube.com)? Ahmed Hi Ahmed, Yes, NBAR can be used to apply application based filters such as blocking youtube.com traffic. To accomplish this we can categorize traffic based on the ... http://blog.internetworkexpert.com/2008/05/08/using-nbar-for-application-filtering/ Hi Brian, I have a problem with the multicast helper topic, the case when a broadcast network is separated by a multicast network, and then again it continues. Can you discuss this topic? Thanks, Nizami Hi Nizami, The multicast helper-map command is similar in theory to how the unicast “ip helper-map” works. With ... http://blog.internetworkexpert.com/2008/05/06/understanding-the-ip-multicast-helper-map-command/ Hi Brian, I'm having a problem with Workbook Volume 1 Version 4.1. ORF (Outbound Route Filtering) isn't working for me. Any help would be appreciated. Thank you, JoeT Hi Joe, First off let’s talk a little bit about what BGP ORF (Outbound Route Filtering) is designed to do for us, and then ... http://blog.internetworkexpert.com/2008/05/05/understanding-bgp-outbound-route-filtering-bgp-orf/ A voice lab rack usually utilizes dedicated piece of hardware to simulate PSTN switch. Commonly, you can find a Cisco router in this role, with a number of E1/T1 cards set to emulate ISDN network side. It perfectly suits the function, switching ISDN connections between the endpoints. Additionally, it is ... http://blog.internetworkexpert.com/2008/05/02/using-rtp-loopback-for-voippstn-call-testing/ IPMA is yet another well-known CCM application that you may encounter on your CCIE Voice lab exam. While IPMA Proxy mode is clearly a legacy approach to configure this application its still a topic you could see in the lab. Before we discuss the configuration steps, let’s take a ... http://blog.internetworkexpert.com/2008/04/28/ip-manager-assistant-proxy-mode-explained/ GLBP, an acronym for Gateway Load Balancing Protocol, is a virtual gateway protocol similar to HSRP and VRRP. However, unlike it’s little brothers, GLBP is capable of utilizing multiple physical gateways at the same time. As we know, a single HSRP or VRRP group represents once virtual gateway, with single ... http://blog.internetworkexpert.com/2008/04/24/glbp-explained/ IPv6 NAT-PT is to be used with IPv4 to IPv6 migration scenarios and it's purpose is to provide bi-directional connectivity between IPv4 and IPv6 domains. A dual-stack router with interfaces in both IPv4 and IPv6 networks is capable of performing this task. The difference from classic IPv4 NAT is that ... http://blog.internetworkexpert.com/2008/04/18/understanding-ipv6-nat-pt/ OSPF virtual links are relatively simple to configure and you normally do not run into too many problem getting them up and working but an odd issue you could run into is when trying to run the virtual link over an interface who's OSPF cost is maximized (65535 or 0xffff).  ... http://blog.internetworkexpert.com/2008/04/16/ospf-virtual-links-and-max-cost/ There are a lot of rumors floating around in regards to diagrams in the R&S CCIE lab.  Cisco officially has said little in regards to this other than the following "the lab document has L1/L2 diagrams for the physical connectivity as well as an IP or topology diagram and an ... http://blog.internetworkexpert.com/2008/04/16/rs-lab-diagrams/ First off be sure to arrive at the lab at least 15 minutes early. I've done both arrived early and arrived late. I can tell you from personal experience that arriving early is the best option. ;) When you arrive you will be waiting in the lobby ... http://blog.internetworkexpert.com/2008/04/11/rs-lab-attack-plan-part-i/ The scoring in the CCIE lab is done on a per task basis and not a per section basis.  If you do not pass the lab you will receive a breakdown of how you did by section (i.e. IGP, Multicast, etc) but they will not give you a breakdown on ... http://blog.internetworkexpert.com/2008/04/11/scoring-in-the-ccie-lab/ Classification, Policing and Marking on the 3560 model. As we remember, 3560 uses the concept of internal QoS label, which contains both the CoS and DSCP values for a packet. Only one value is actually taken (trusted) from the packet or interface (either CoS or DSCP), and the other one is ... http://blog.internetworkexpert.com/2008/03/26/bridging-the-gap-between-3550-and-3560-qos-part-ii/ A common question that I get from students in class is what are the options to resolve spoke to spoke reachability in a Frame-Relay network. Below are your "standard" choices in order of preference: 1) Use point-to-point subinterfaces on the spokes.  This option is preferred as all IP addresses on ... http://blog.internetworkexpert.com/2008/03/25/resolving-reachability-between-spokes-in-a-hub-and-spoke-frame-relay-network/ Please, refer to the previous parts of this article, for information on the diagram and terms. For this scenario, called “dual-core”, we want the “fast” Ethernet connections (VLAN 356) to be used as primary transport for packet exchange between the routing domains. The Frame-Relay cloud should only be traversed, if ... http://blog.internetworkexpert.com/2008/03/17/understanding-redistribution-part-iii/ The 3560 QoS processing model is tightly coupled with it’s hardware architecture borrowed from the 3750 series switches. The most notable feature is the internal switch ring, which is used for the switch stacking purpose. Packets entering a 3560/3750 switch are queued and serviced twice: first on the ingress, before ... http://blog.internetworkexpert.com/2008/03/03/bridging-the-gap-between-3550-and-3560-qos-part-i/ Catalyst QoS configuration for IP Telephony endpoints is one of the CCIE Voice labs topics. Many people have issues with that one, because of need to memorize a lot of SRND recommendations to do it right. The good news is that during the lab exam you have full access to ... http://blog.internetworkexpert.com/2008/02/26/catalyst-qos-ip-telephony-endpoints/ QoS features available on Catalyst switch platforms have specific limitations, dictated by the hardware design of modern L3 switches, which is heavily optimized to handle packets at very high rates. Catalyst switch QoS is implemented using TCAM (Ternary Content Addressable Tables) - fast hardware lookup tables - to store ... http://blog.internetworkexpert.com/2008/02/23/catalyst-qos-3550-explained/ A common question I get from students is, "when is the best time to take a CCIE bootcamp?" Ideally a bootcamp is taken either  5 to 6 weeks prior to your lab date or the week prior to your lab date.  By taking a bootcamp 5 to 6 weeks prior ... http://blog.internetworkexpert.com/2008/02/22/when-to-schedule-a-ccie-bootcamp/ One common problem that causes candidates to fail the CCIE Routing & Switching Lab Exam is the lack of complete IP reachability to various segments used in the network topology. However, due to the short time constraints of the lab exam itself it can be difficult to dedicate enough ... http://blog.internetworkexpert.com/2008/02/22/using-tcl-and-macro-ping-scripts-for-ccie-lab-reachability-testing/ Simple Redistribution Step-by-Step We're going to take our basic topology from the previous post Understanding Redistribution Part I , and configure to provide full connectivity between all devices with the most simple configuration. Then we are going to tweak some settings and see how they affect redistribution and optimal routing. This ... http://blog.internetworkexpert.com/2008/02/19/understanding-redistribution-part-ii/ Brian,First off, thanks for this great website and the great effort. One question about the CCIR R&S. Is grading effected by executing show or debug commands? Many cases I configure elements and I'm pretty sure that it will work, and omit the verification stage. In other words, ... http://blog.internetworkexpert.com/2008/02/18/74/ Quite many people don't pay attention to the difference in handling packets on interfaces configured for NAT inside and outside. Here is an example to demonstrate how NAT "domains" interact with routing. Consider three routers connected in the following manner: For this scenario we have no routing configured. Let's use ... http://blog.internetworkexpert.com/2008/02/15/the-inside-and-outside-of-nat/ Cisco IOS has a special feature called local policy routing, which permits to apply a route-map to local (router-generated) traffic. The first way we can use this feature is to re-circulate local traffic (and force it re-enter the router). Here's an example. By default, locally-generated packets are not inspected by ... http://blog.internetworkexpert.com/2008/02/13/tricks-with-local-policy-routing/ Abstract: Describe the purpose of redistribution and the issues involved. Prerequisites: Good understanding of IGP routing protocols (OSPF, EIGRP, RIPv2). Let's start straight with a rolling out a group of definitions. Redistribution is a process of passing the routing information from one routing domain to another. The ultimate goal of redistribution is ... http://blog.internetworkexpert.com/2008/02/09/understanding-redistribution-part-i/ Guys, I ran into a task in a lab to configure an ACL to allow BGP and the book has it configured like this: Permit tcp host 150.1.5.5 eq bgp host 150.1.4.4 Permit tcp host 150.1.5.5 host 150.1.4.4 eq bgp Is there a reason why it is configured like that instead of ‘Permit ... http://blog.internetworkexpert.com/2008/02/06/understanding-bgp-port-numbers/ Within the scope of Metro Ethernet services, it is often beneficial to provide customers "point-to-point" VLAN service, where VLAN (multipoint service in essence) is effectively set up to emulate ethernet "pseudowire", by disabling MAC-address learning. The benefit comes from saving metro switches CAM tables address space, thus improving overall scalability ... http://blog.internetworkexpert.com/2008/02/05/turning-switch-into-hub/ When you work with a remote rack by using an access-server (e.g. 25xx) with the async lines connected to the console ports of the pod's routers, you effectively have only one terminal window opened. Using ctrl-Shift-6-x you can quickly switch between terminal lines; however, if you need to monitor "debug" ... http://blog.internetworkexpert.com/2008/02/03/debug-output-collection/ Private VLAN concepts are quite simple, but Cisco's implemenation and configuration steps are a bit confusing - with all the "mappings" and "associations" stuff. Here comes a short overview of how private VLANs work. To begin with, let's look at the concept of VLAN as a broadcast domain. What Private VLANs ... http://blog.internetworkexpert.com/2008/01/31/understanding-private-vlans/ Let's say you get a bunch of inexpensive (but a bit outdated) routers (36XX or 72Xx) and some really nice (maybe not so cheap) Cisco switches (e.g. 3550/3560) and you would like to provide a VPLS-like service to your customers. Since VPLS is a service available only on more powerful ... http://blog.internetworkexpert.com/2008/01/28/poor-mans-vpls/ This is a good example of fragmentation and interleaving, applied in a complex context. To begin with, why whould anyone need to run Multilink PPP (MLPPP or MLP) with Interleaving over Frame-Relay? Well, back in days, when Frame-Relay and ATM were really popular, there was a need to interwork the ... http://blog.internetworkexpert.com/2008/01/26/ppp-multilink-interleaving-over-frame-relay/ Sometimes people need to conditionally advertise routes into BGP table based on time of day. Say, we may want to adversite IGP prefix 150.1.1.0/24 with community 1:100 during daytime and with community 1:200 at the other time. Back in days, the procedure was easy - you had to create time ... http://blog.internetworkexpert.com/2008/01/25/bgp-time-based-policy-routing/ The need for fragmentation We are going to briefly discuss Layer2 fragmentation schemes, their purpose and configuration examples. Let's start with a general discussion. Usually, Layer2 fragmentation is used to accomplish one of two goals: a) Link aggregation, e.g. making a number of physical channels look like one logical link from Layer2 ... http://blog.internetworkexpert.com/2008/01/25/link-efficiency-fragmentation/ This is a "modern" way to configure FRTS, using MQC commands only to accomplish the task. With MQC approach, an unified interface has been introduced to configure all QoS settings, irrelevant of underlying technology. In summary: - Legacy command frame-relay traffic-shaping is incompatible with MQC-based FRTS (you can't mix them) - Fancy queueing ... http://blog.internetworkexpert.com/2008/01/24/mqc-based-frame-relay-traffic-shaping/ This is the most well-known FRTS method, which has been available for quite a while on Cisco routers. It is now being outdated by MQC configurations. The key characteristic is that all settings are configured under map-class command mode, and later are applied to a particular set PVCs. The same configuration concept ... http://blog.internetworkexpert.com/2008/01/22/legacy-frts/ As first and very basic option, you may use Generic Traffic Shaping to implement FRTS. This is a common technique, not unique to Frame-Relay, with the following properties: - Configured by using traffic-shape interface command - As with standard GTS, internal shaper queue is basic WFQ - Configured per inteface/subinteface (no ... http://blog.internetworkexpert.com/2008/01/21/frame-relay-traffic-shaping-with-gts/ Below are a couple example configurations for PPPoE. Note that you can run into MTU issues when trying to use OSPF over PPPoE. This can easily be resolved by using the "ip ospf mtu-ignore" command as the dialer interface's MTU is 1492 while the virtual-template's (virtual-access) MTU is 1500. *** ... http://blog.internetworkexpert.com/2008/01/20/example-configurations-for-ppp-over-ethernet-pppoe/ Brian, Why does the point-to-multipoint OSPF network type generate the /32 routes and how can I stop them from being advertised? The behavior of point-to-multipoint is to advertise each end-point out as a /32 and suppress the advertisement of the network itself. Point-to-multipoint advertises the end points to overcome possible reachability issues ... http://blog.internetworkexpert.com/2008/01/17/ospf-point-to-multipoint-network-type-and-32-routes/ Brian, I noticed that some of the links on the documentation link to Cisco's main website. Will we have access to these links in the CCIE lab? In the CCIE lab you will have access to any of the links on the DocCD (http:www.cisco.com/univercd). Any of the links that link ... http://blog.internetworkexpert.com/2008/01/17/cisco-doccd-links/ Current as of Jan 2008. IOS 12.4(5b) CME 3.3 CUE 2.1.3 CRS (IPCC Express) 4.0.1 CallManager 4.1(3)sr3b Unity 4.0(5) Catalyst OS 7.6 (6500) IOS 12.1 (3550)ShareThis http://blog.internetworkexpert.com/2008/01/16/ccie-voice-lab-software-versions/ Brian, When I use the debug ip mpacket command I'm not getting any output. Any idea why? First off it's important to understand that multicast traffic is fast switched with the exception of interfaces using X.25 encapsulation. Since the multicast traffic is fast switched it will not be sent ... http://blog.internetworkexpert.com/2008/01/16/no-output-from-the-debug-ip-mpacket-command/ Hi Brians, Just a quick question about the "include-connected" command when redistributing IPv6 protocols (especially RIPng and OSPFv3). From the DocCD it says that it allows the quote "target protocol to redistribute routes learned by the source protocol and connected prefixes on those interfaces over which the source protocol is ... http://blog.internetworkexpert.com/2008/01/15/understanding-how-redistribution-works-in-ipv6/ Commonly people run into issues with the ip default-network command putting static routes in their configuration when they select a network that can not be considered as the candidate default network. I'll show the two common mistakes with this command that causes this to happen. In the scenario below R4 ... http://blog.internetworkexpert.com/2008/01/15/issues-with-the-ip-default-network-command/ Hi Brian, What is the best way to search through Cisco Doc CD during lab exam? It will be nice to know the recommended best way (if there is any) to look for features in the CD. Can you please use a feature as an example and help locate ... http://blog.internetworkexpert.com/2008/01/14/how-to-search-the-cisco-doccd/ For inbound updates the order of preference is: 1. route-map 2. filter-list 3. prefix-list, distribute-list For outbound updates the order of preference is: 1. prefix-list, distribute-list 2. filter-list 3. route-mapShareThis http://blog.internetworkexpert.com/2008/01/11/bgp-order-of-preference/ Inbound 1. QoS Policy Propagation through Border Gateway Protocol (BGP) (QPPB) 2. Input common classification 3. Input ACLs 4. Input marking (class-based marking or Committed Access Rate (CAR)) 5. Input policing (through a class-based policer or CAR) 6. IP Security (IPSec) 7. Cisco Express Forwarding (CEF) or Fast Switching Outbound 1. CEF or Fast Switching 2. Output common classification 3. Output ... http://blog.internetworkexpert.com/2008/01/11/qos-order-of-operations/ Egress Features 1. WCCP Redirect 2. NAT Inside-to-Outside 3. Network Based Application Recognition (NBAR) 4. BGP Policy Accounting 5. Output QoS Classification 6. Output ACL check 7. Output Flexible Packet Matching (FPM) 8. DoS Tracker 9. Output Stateful Packet Inspection (IOS FW) 10. TCP Intercept 11. Output QoS Marking 12. Output Policing (CAR) 13. Output MAC/Precedence Accounting 14. IPsec Encryption 15. Egress NetFlow 16. Egress Flexible ... http://blog.internetworkexpert.com/2008/01/11/ios-egress-and-ingress-orders-of-operations/ Brian, I have a question regarding the R&S Lab exam. Can I telnet to the back bone routers to test routing? For our rack rentals we allow access to the backbone routers but in the real CCIE lab you will not have access to them. You will have to understand how ... http://blog.internetworkexpert.com/2008/01/10/question-regarding-backbone-router-access-in-the-ccie-lab/ Brian, When working on some of the Volume II labs I've noticed that we are sometimes not told to advertise certain networks. What do I do in this situation and how does this relate to the real lab? In our labs we leave some ambiguity as to this issue so this ... http://blog.internetworkexpert.com/2008/01/09/what-networks-to-advertise-and-how-to-advertise-them/ Brian, 1) Lab difficulties range from 1 to 10. Typically speaking, what's the difficulty of the real CCIE exam? 2) Does IEWB R&S vol 1 and vol 2 cover all topics needed to pass the CCIE R&S? Generally speaking the difficulty rating of the real lab will be roughly 7 to 8 as ... http://blog.internetworkexpert.com/2008/01/09/iewb-rs-volume-ii-lab-difficulty-rating/ The “Ask the Expert” sessions are open question and answer sessions with the an actual CCIE lab proctor. The excerpts below were taken from the most recent session. In regards to security topics on the exam: The security topics listed below are defined by the R&S lab blueprint and make up about ... http://blog.internetworkexpert.com/2008/01/08/highlights-from-ciscos-recent-ask-the-expert-session/ Prior to the support of prefix-lists in the IOS advanced filtering for BGP needed to be done using extended ACLs.  The syntax for using extended ACLs is shown below: access-list <ACL #> permit ip <network> <wildcard mask of network> <subnet mask> <wildcard mask of subnet mask> The source portion of the extended ... http://blog.internetworkexpert.com/2008/01/08/using-extended-acls-for-bgp-filtering/ Extended ACLs work with IGP protocols but you can not match on the subnet mask portion of the route.  Extended ACLs are used with IGP protocols to match the network portion of the route and the IP address of the router that sent the route.  Here is an example of ... http://blog.internetworkexpert.com/2008/01/08/using-extended-acls-with-igps/ By adjusting the hello/dead timers you can make non-compatible OSPF network types appear as neighbors via the "show ip ospf neighbor" but they won't become "adjacent" with each other.  OSPF network types that use a DR (broadcast and non-broadcast) can neighbor with each other and function properly.  Likewise OSPF network ... http://blog.internetworkexpert.com/2008/01/08/understanding-ospf-network-types/ When configuring a Frame Relay switch layer 1 DCE/DTE is independent of layer 2 DCE/DTE. The "clock rate" command can only be applied on the layer 1 DCE side of the cable. This can be determined by looking at the cable for a DTE/DCE labeling, using the "show controllers ... http://blog.internetworkexpert.com/2008/01/08/frame-relay-dce-vs-physical-dce/ This problem is common when running OSPF between a switch (i.e 3550 or 3560) and a router. The error message that is generated when this problem occurs is: %OSPF-5-ADJCHG: Process 1, Nbr 150.8.5.5 on Vlan258 from DOWN to DOWN, Neighbor Down: Dead timer expired %OSPF-5-ADJCHG: Process 1, Nbr 150.8.2.2 on Vlan258 ... http://blog.internetworkexpert.com/2008/01/08/ospf-mtu-mismatch-issue/ Hello Brian,Can you explain how PPP over Frame Relay works? Also what are the advantages and disadvantages of using it over normal Frame Relay configuration?Thanks and regards, Yaser Hi Yaser, Frame Relay does not natively support features such as authentication, link quality monitoring, and reliable transmission. Based on this it ... http://blog.internetworkexpert.com/2008/01/07/understanding-ppp-over-frame-relay-pppofr/ Hi Brian, Can you explain the easiest way to construct a regular expression in BGP? Thanks, Rowan Hi Rowan, Regular expressions are strings of special characters that can be used to search and find character patterns. Within the scope of BGP in Cisco IOS regular expressions can be used in show commands and AS-Path ... http://blog.internetworkexpert.com/2008/01/06/understanding-bgp-regular-expressions/ Hi Brian, I'm trying to create a distribute-list in RIP to allow only even routes to be received. I can do it successfully with a standard ACL, however if I use an extended ACL I can't get any routes at all. I've heard that extended ACLs are better because ... http://blog.internetworkexpert.com/2008/01/04/using-extended-access-lists-in-a-distribute-list/ Hi Brian, I've heard that items in a numbered ACL can be deleted without taking down the entire ACL. Is it true and how? In newer IOS versions sequence numbers can be used to quickly edit, add, and remove entries from a named extended access-list. However in all IOS versions ... http://blog.internetworkexpert.com/2008/01/03/editing-numbered-access-lists-on-the-fly/ Hi Brian, I enjoy the new blog feature. Lots of valuable information condensed in a small space. Could you explain in a nutshell how to troubleshoot multicast RPF failures? I understand the concept, just figuring out what shows and/or debugs to use always seems to take me ... http://blog.internetworkexpert.com/2008/01/02/troubleshooting-multicast-rpf-failure/ Hi Brian, How do I switch between devices when using a Cisco access server? There are two ways to connect to devices attached to an access server, you can terminate your exec session on the access server itself (one terminal window for all sessions), or you can terminate your exec session on ... http://blog.internetworkexpert.com/2007/12/29/how-to-use-a-cisco-access-server/ OSPF point-to-multipoint non-broadcast was designed to allow for the assignment of the cost on a per neighbor basis as opposed to using the interface's cost. This is useful on a multipoint Frame Relay interface where there are two neighbors advertising the same route but the CIRs for the DLCIs to ... http://blog.internetworkexpert.com/2007/12/29/understanding-the-ospf-point-to-multipoint-non-broadcast-network-type/ First off we need to understand that traceroute is a technique to have the routers between the source and destination reveal themselves and finally have the destination reveal itself. Traceroute can be implemented using ICMP, UDP, and even TCP so as a CCIE when someone asks you to filter ... http://blog.internetworkexpert.com/2007/12/28/understanding-traceroute/ Hi Brian, I am using dialer profiles for ISDN and I want protocol broadcasts such as RIP to be sent out accross the ISDN link. I tried to find the command that allows me to configure broadcast but the dialer interfaces do not accept the dialer map command. How do I ... http://blog.internetworkexpert.com/2007/12/28/whats-the-difference-between-a-dialer-profile-and-a-rotary-group/ Hi Brian,I configured NTP on 2 Routers back-to-back with authentication (md5). So far everything works fine. I removed authentication on one of the Routers (no ntp authenticate) and they continue to sync. I even rebooted the router on which I had removed the authentication and they ... http://blog.internetworkexpert.com/2007/12/28/how-does-ntp-authentication-work/ Hi Brian, I have a router with two interfaces running both RIP and EIGRP as follows: Interface IP-Address OK? Method Status Prot Serial0 172.16.5.5 YES manual up up Serial1 172.16.1.5 ... http://blog.internetworkexpert.com/2007/12/27/how-do-i-control-which-interfaces-run-eigrp-vs-rip/ Unlike PAP, CHAP does not actually send a password over the line. Instead, a hash value made up of the password and magic number is sent. Unless the hash matches from both authenticating parties, authentication is not successful. By default, the router sends it's hostname for authentication when using chap. ... http://blog.internetworkexpert.com/2007/12/26/how-does-the-ppp-chap-password-command-work/ "async mode dedicated" is strictly for PPP and SLIP connections. "async mode interactive", on the other hand, can be used for PPP, SLIP, ARAP, along with EXEC access to the router. Suppose you're dialing into the router's AUX port to access the CLI. In this case you ... http://blog.internetworkexpert.com/2007/12/26/what-is-the-difference-between-async-modes-dedicated-and-interactive/ Prefix-lists are used to match on prefix and prefix-length pairs. Normal prefix-list syntax is as follows: ip prefix-list LIST permit w.x.y.z/len Where w.x.y.z is your exact prefix And where len is your exact prefix-length "ip prefix-list LIST permit 1.2.3.0/24" would be an exact match for the prefix 1.2.3.0 with a subnet mask of ... http://blog.internetworkexpert.com/2007/12/26/how-do-prefix-lists-work/ Suppose we have the following scenario: R1---R2--R3--R4---R5 R1 is AS 100 R2, R3, R4 are AS 200 R5 is AS 300 R2, R3, R4 are confederated, with sub as's 65002, 65003, and 65004 respectively. They are also originating prefixes A, B, & C respectively. If AS 200 does not want to be transit, ... http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-stop-a-confederation-from-being-used-as-transit/ Access-list address and wildcard pair calculations are based around the AND and XOR logic gates. AND: The output is high only when both inputs A and B are high. A AND B ______________ | A | B | out | | 0 | 0 | 0 | | 0 | 1 | 0 ... http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/