03-11-2002 05:37 PM - edited 03-01-2019 08:49 PM
I'm trying to get a better understanding of summarizing addresses in my access lists. I have followed some postings on the old Q&A forums and have read the O'Reilly Cisco IOS Access Lists book.
One example I have is to deny only the four hosts with the addresses of X.X.X.27 - X.X.X.30. These four will be denied with multiple port numbers but allowed with others. If I can summarize them this would be a great help. I would like to figure it out my self but I'm still not comfortable with the subject. Can anyone suggest other resources to help me?
Thanks for any help.
Jeff
03-20-2002 12:05 PM
Im not sure that I understand your question regarding the four hosts. For example you want to deny these 4 IP addresses for telnet and FTP but you want to allow HTTP?
OR
Are you looking for masking info to be able to block x.x.x.N with mask n.n.n.X where N would indicate 4 ip addresses?
OR
Are you looking for a simple answer such as . . . "If you allow x.x.x.27-30 on port 80, by definition all other combinations of IP addresses, destinations and ports will be denied"
Good luck.
Steve
03-26-2002 08:27 AM
I would be looking to summarize the hosts .27 - .30 into one statement, e.g. x.x.x.27 0.0.0.3. It's the mask part that I'm confused about. I have one router where I'm blocking 6 networks x.x.200.0 - x.x.205.0 but would like to summarize them as best I can with one or two access list statements. I just have a hard time understanding how to summarize them from looking at the bit level as described from either other posts or the book I mentioned.
Thanks for any help.
Jeff
03-20-2002 12:20 PM
You can summarize based on IP address using a netmask-ish sort of thing. (It's actually a wildcard mask, which is the inverse of a netmask.) So, if you wanted to allow 192.168.1.4 - 192.168.1.7, tcp port 20, 21, and 80 but deny everything else you would use:
access-list xxx permit tcp 192.168.1.4 0.0.0.3 any eq 20
access-list xxx permit tcp 192.168.1.4 0.0.0.3 any eq 21
access-list xxx permit tcp 192.168.1.4 0.0.0.3 any eq 80
Similarly for udp.
You can sort of summarize based on ports using the 'eq', 'gt', and 'lt' operators. e.g. all ports greater than 1024, or all ports less than 23, or all ports equal to 80, but this doesn't sound like it would meet your needs.
03-26-2002 08:32 AM
Thanks for the reply. Your reply is what I'm looking for but I just need a better understanding of summarizing hosts or networks in my access lists. I have a hard time understanding how to summarize them from looking at the bit level as described from either other posts or the book I mentioned.
Thanks for any help.
Jeff
03-26-2002 06:38 PM
If you find it hard and just wanna do it, go ahead and download an ip calculator (e.g. http://www.wildpackets.com/products/ipsubnetcalculator)
but if you really wanna grasp the subject, I would say practice turning all those IP address to bits.
example:
let's say you wann include in one single command the following IPs:
192.168.1.0
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
192.168.1.6
192.168.1.7
Then you would translate every one to bits:
11000000.10101000.00000001.00000000
11000000.10101000.00000001.00000001
11000000.10101000.00000001.00000010
11000000.10101000.00000001.00000011
11000000.10101000.00000001.00000100
11000000.10101000.00000001.00000101
11000000.10101000.00000001.00000110
11000000.10101000.00000001.00000111
then you try to find a pattern and realize that all of this addresses can be summarized to:
11000000.10101000.00000001.00000XXX
right?
so using inverse mask, 0's mean "I care" and 1's "I don't care" so:
00000000.00000000.00000000.00000111
so this is the inverse mask, back to decimal: 0.0.0.7
so finally:
192.168.1.0 0.0.0.7
(why 192.168.1.0? well just because it's the first one in the series).
And just if you had a doubt: 192.168.1.5 0.0.0.7
this would still mean the same thing (though, I don't think the router would accept that)
There is a lot more information on another very related subject: subnet masking. If you understand subnets masking you'll realize you then know inverse masking.
hope this helps. Good luck!
03-28-2002 06:56 AM
Thanks for the tutorial. It helped me start to grasp the concept. Sometimes it takes a paticular person or method to help understand something.
Thanks.
Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide