I'm trying to get a better understanding of summarizing addresses in my access lists. I have followed some postings on the old Q&A forums and have read the O'Reilly Cisco IOS Access Lists book.
One example I have is to deny only the four hosts with the addresses of X.X.X.27 - X.X.X.30. These four will be denied with multiple port numbers but allowed with others. If I can summarize them this would be a great help. I would like to figure it out my self but I'm still not comfortable with the subject. Can anyone suggest other resources to help me?
I would be looking to summarize the hosts .27 - .30 into one statement, e.g. x.x.x.27 0.0.0.3. It's the mask part that I'm confused about. I have one router where I'm blocking 6 networks x.x.200.0 - x.x.205.0 but would like to summarize them as best I can with one or two access list statements. I just have a hard time understanding how to summarize them from looking at the bit level as described from either other posts or the book I mentioned.
You can summarize based on IP address using a netmask-ish sort of thing. (It's actually a wildcard mask, which is the inverse of a netmask.) So, if you wanted to allow 192.168.1.4 - 192.168.1.7, tcp port 20, 21, and 80 but deny everything else you would use:
access-list xxx permit tcp 192.168.1.4 0.0.0.3 any eq 20
access-list xxx permit tcp 192.168.1.4 0.0.0.3 any eq 21
access-list xxx permit tcp 192.168.1.4 0.0.0.3 any eq 80
Similarly for udp.
You can sort of summarize based on ports using the 'eq', 'gt', and 'lt' operators. e.g. all ports greater than 1024, or all ports less than 23, or all ports equal to 80, but this doesn't sound like it would meet your needs.
Thanks for the reply. Your reply is what I'm looking for but I just need a better understanding of summarizing hosts or networks in my access lists. I have a hard time understanding how to summarize them from looking at the bit level as described from either other posts or the book I mentioned.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...