Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3576
Views
0
Helpful
6
Replies

Access List Summarization

jeff
Level 1
Level 1

‎03-11-2002 05:37 PM - edited ‎03-01-2019 08:49 PM

I'm trying to get a better understanding of summarizing addresses in my access lists. I have followed some postings on the old Q&A forums and have read the O'Reilly Cisco IOS Access Lists book.

One example I have is to deny only the four hosts with the addresses of X.X.X.27 - X.X.X.30. These four will be denied with multiple port numbers but allowed with others. If I can summarize them this would be a great help. I would like to figure it out my self but I'm still not comfortable with the subject. Can anyone suggest other resources to help me?

Thanks for any help.

Jeff

Labels:
0 Helpful
6 Replies 6

vzops
Level 1
Level 1

‎03-20-2002 12:05 PM

Im not sure that I understand your question regarding the four hosts. For example you want to deny these 4 IP addresses for telnet and FTP but you want to allow HTTP?

OR

Are you looking for masking info to be able to block x.x.x.N with mask n.n.n.X where N would indicate 4 ip addresses?

OR

Are you looking for a simple answer such as . . . "If you allow x.x.x.27-30 on port 80, by definition all other combinations of IP addresses, destinations and ports will be denied"

Good luck.

Steve

0 Helpful

jeff
Level 1
Level 1
In response to vzops

‎03-26-2002 08:27 AM

I would be looking to summarize the hosts .27 - .30 into one statement, e.g. x.x.x.27 0.0.0.3. It's the mask part that I'm confused about. I have one router where I'm blocking 6 networks x.x.200.0 - x.x.205.0 but would like to summarize them as best I can with one or two access list statements. I just have a hard time understanding how to summarize them from looking at the bit level as described from either other posts or the book I mentioned.

Thanks for any help.

Jeff

0 Helpful

cwu
Level 1
Level 1

‎03-20-2002 12:20 PM

You can summarize based on IP address using a netmask-ish sort of thing. (It's actually a wildcard mask, which is the inverse of a netmask.) So, if you wanted to allow 192.168.1.4 - 192.168.1.7, tcp port 20, 21, and 80 but deny everything else you would use:

access-list xxx permit tcp 192.168.1.4 0.0.0.3 any eq 20

access-list xxx permit tcp 192.168.1.4 0.0.0.3 any eq 21

access-list xxx permit tcp 192.168.1.4 0.0.0.3 any eq 80

Similarly for udp.

You can sort of summarize based on ports using the 'eq', 'gt', and 'lt' operators. e.g. all ports greater than 1024, or all ports less than 23, or all ports equal to 80, but this doesn't sound like it would meet your needs.

0 Helpful

jeff
Level 1
Level 1
In response to cwu

‎03-26-2002 08:32 AM

Thanks for the reply. Your reply is what I'm looking for but I just need a better understanding of summarizing hosts or networks in my access lists. I have a hard time understanding how to summarize them from looking at the bit level as described from either other posts or the book I mentioned.

Thanks for any help.

Jeff

0 Helpful

mberrocal
Level 1
Level 1
In response to jeff

‎03-26-2002 06:38 PM

If you find it hard and just wanna do it, go ahead and download an ip calculator (e.g. http://www.wildpackets.com/products/ipsubnetcalculator)

but if you really wanna grasp the subject, I would say practice turning all those IP address to bits.

example:

let's say you wann include in one single command the following IPs:

192.168.1.0

192.168.1.1

192.168.1.2

192.168.1.3

192.168.1.4

192.168.1.5

192.168.1.6

192.168.1.7

Then you would translate every one to bits:

11000000.10101000.00000001.00000000

11000000.10101000.00000001.00000001

11000000.10101000.00000001.00000010

11000000.10101000.00000001.00000011

11000000.10101000.00000001.00000100

11000000.10101000.00000001.00000101

11000000.10101000.00000001.00000110

11000000.10101000.00000001.00000111

then you try to find a pattern and realize that all of this addresses can be summarized to:

11000000.10101000.00000001.00000XXX

right?

so using inverse mask, 0's mean "I care" and 1's "I don't care" so:

00000000.00000000.00000000.00000111

so this is the inverse mask, back to decimal: 0.0.0.7

so finally:

192.168.1.0 0.0.0.7

(why 192.168.1.0? well just because it's the first one in the series).

And just if you had a doubt: 192.168.1.5 0.0.0.7

this would still mean the same thing (though, I don't think the router would accept that)

There is a lot more information on another very related subject: subnet masking. If you understand subnets masking you'll realize you then know inverse masking.

hope this helps. Good luck!

0 Helpful

jeff
Level 1
Level 1
In response to mberrocal

‎03-28-2002 06:56 AM

Thanks for the tutorial. It helped me start to grasp the concept. Sometimes it takes a paticular person or method to help understand something.

Thanks.

Jeff

0 Helpful
Customers Also Viewed These Support Documents