Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access List Summarization

I'm trying to get a better understanding of summarizing addresses in my access lists. I have followed some postings on the old Q&A forums and have read the O'Reilly Cisco IOS Access Lists book.

One example I have is to deny only the four hosts with the addresses of X.X.X.27 - X.X.X.30. These four will be denied with multiple port numbers but allowed with others. If I can summarize them this would be a great help. I would like to figure it out my self but I'm still not comfortable with the subject. Can anyone suggest other resources to help me?

Thanks for any help.

Jeff

6 REPLIES
New Member

Re: Access List Summarization

Im not sure that I understand your question regarding the four hosts. For example you want to deny these 4 IP addresses for telnet and FTP but you want to allow HTTP?

OR

Are you looking for masking info to be able to block x.x.x.N with mask n.n.n.X where N would indicate 4 ip addresses?

OR

Are you looking for a simple answer such as . . . "If you allow x.x.x.27-30 on port 80, by definition all other combinations of IP addresses, destinations and ports will be denied"

Good luck.

Steve

New Member

Re: Access List Summarization

I would be looking to summarize the hosts .27 - .30 into one statement, e.g. x.x.x.27 0.0.0.3. It's the mask part that I'm confused about. I have one router where I'm blocking 6 networks x.x.200.0 - x.x.205.0 but would like to summarize them as best I can with one or two access list statements. I just have a hard time understanding how to summarize them from looking at the bit level as described from either other posts or the book I mentioned.

Thanks for any help.

Jeff

cwu
New Member

Re: Access List Summarization

You can summarize based on IP address using a netmask-ish sort of thing. (It's actually a wildcard mask, which is the inverse of a netmask.) So, if you wanted to allow 192.168.1.4 - 192.168.1.7, tcp port 20, 21, and 80 but deny everything else you would use:

access-list xxx permit tcp 192.168.1.4 0.0.0.3 any eq 20

access-list xxx permit tcp 192.168.1.4 0.0.0.3 any eq 21

access-list xxx permit tcp 192.168.1.4 0.0.0.3 any eq 80

Similarly for udp.

You can sort of summarize based on ports using the 'eq', 'gt', and 'lt' operators. e.g. all ports greater than 1024, or all ports less than 23, or all ports equal to 80, but this doesn't sound like it would meet your needs.

New Member

Re: Access List Summarization

Thanks for the reply. Your reply is what I'm looking for but I just need a better understanding of summarizing hosts or networks in my access lists. I have a hard time understanding how to summarize them from looking at the bit level as described from either other posts or the book I mentioned.

Thanks for any help.

Jeff

New Member

Re: Access List Summarization

If you find it hard and just wanna do it, go ahead and download an ip calculator (e.g. http://www.wildpackets.com/products/ipsubnetcalculator)

but if you really wanna grasp the subject, I would say practice turning all those IP address to bits.

example:

let's say you wann include in one single command the following IPs:

192.168.1.0

192.168.1.1

192.168.1.2

192.168.1.3

192.168.1.4

192.168.1.5

192.168.1.6

192.168.1.7

Then you would translate every one to bits:

11000000.10101000.00000001.00000000

11000000.10101000.00000001.00000001

11000000.10101000.00000001.00000010

11000000.10101000.00000001.00000011

11000000.10101000.00000001.00000100

11000000.10101000.00000001.00000101

11000000.10101000.00000001.00000110

11000000.10101000.00000001.00000111

then you try to find a pattern and realize that all of this addresses can be summarized to:

11000000.10101000.00000001.00000XXX

right?

so using inverse mask, 0's mean "I care" and 1's "I don't care" so:

00000000.00000000.00000000.00000111

so this is the inverse mask, back to decimal: 0.0.0.7

so finally:

192.168.1.0 0.0.0.7

(why 192.168.1.0? well just because it's the first one in the series).

And just if you had a doubt: 192.168.1.5 0.0.0.7

this would still mean the same thing (though, I don't think the router would accept that)

There is a lot more information on another very related subject: subnet masking. If you understand subnets masking you'll realize you then know inverse masking.

hope this helps. Good luck!

New Member

Re: Access List Summarization

Thanks for the tutorial. It helped me start to grasp the concept. Sometimes it takes a paticular person or method to help understand something.

Thanks.

Jeff

987
Views
0
Helpful
6
Replies
CreatePlease login to create content