Solved: Re: Doubt about summarization in ACL

CarlosFull · ‎01-15-2021

Hello everyone

First, sorry if the word isn´t "summarization". I think so but if it's called something else, excuse me and correct me, please...

I have a question in my head for days and I need someone to explain why...

This is a question that I have seen on a networking website and I don´t understand the answer:

access-list 107 deny tcp 207.16.12.0 0.0.3.255 any eq http
access-list 107 permit ip any any

The exercise gives you 5 possible IPs and you have to determine which two IPs would be denied:

207.16.32.14 http(aplication)
207.16.15.9 23(port)
207.16.16.14 53(port)
207.16.14.7 80(port)
207.16.13.14 http(aplication)

Mask is 255.255.252.0 and I know that to solve the doubt, I have to look at the third octet of the wildcard, "252", which is the octet that will determine the range of IPs denied or not.

I also know that I have to convert that number to binary, which is 11111100, that leaves "00" for the calculation and this is where the doubt comes:

00 can be:

00=0

01=1

10=2

11=3

So, why in that ACL are denied the last two IPs of those five with ranges in the third octet of 14 and 13??? (207.16.14.7 80(port) and 207.16.13.14 http(aplication) ).

I would like to understand the answer because honestly, I don´t understand it ... Thanks and regards

Richard Burts · ‎01-15-2021

Summarization is not a bad term to describe what is going on but aggregation is probably a better term.

You are on the right track, but have a detail not right. You are right that 252 mask leaves you 00 and that indicates

0

1

2

3

but you need to remember that the subnet does not start at 0 but starts at 12. So the results in the access list would actually match

12

13

14

15

If you look at the possible answers

207.16.32.14 http(aplication) is not right because 32 is outside the range

207.16.15.9 23(port) is not right. 15 is in the range but port 23 does not match the acl

207.16.16.14 53(port) is not right because 16 is outside the range
207.16.14.7 80(port) is a right choice. 14 is in the range and the port matches the acl
207.16.13.14 http(aplication) is a right choice. 13 is in the range and the application matches the acl

I hope this helps you to understand it better.

HTH

Rick

View solution in original post

Richard Burts · ‎01-15-2021

Summarization is not a bad term to describe what is going on but aggregation is probably a better term.

You are on the right track, but have a detail not right. You are right that 252 mask leaves you 00 and that indicates

0

1

2

3

but you need to remember that the subnet does not start at 0 but starts at 12. So the results in the access list would actually match

12

13

14

15

If you look at the possible answers

207.16.32.14 http(aplication) is not right because 32 is outside the range

207.16.15.9 23(port) is not right. 15 is in the range but port 23 does not match the acl

207.16.16.14 53(port) is not right because 16 is outside the range
207.16.14.7 80(port) is a right choice. 14 is in the range and the port matches the acl
207.16.13.14 http(aplication) is a right choice. 13 is in the range and the application matches the acl

I hope this helps you to understand it better.

HTH

Rick

Richard Burts · ‎01-15-2021

Some of the concepts in using access lists take some getting used to, especially how the wildcard masks are used to match IP addresses. I am glad that my explanation was helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

CarlosFull · ‎01-15-2021

It's the least I have to do, accept the solution !!!

The explanation has been impeccable and I appreciate it

The truth is, since I am not an expert, I will go in more to ask than to help.

Again, thank you so much Richard

Richard Burts · ‎01-15-2021

You are welcome. At this point you are not an expert and you will mostly ask questions. Over time as you learn more and more about networking I believe that you will also be able to offer help to others.

HTH

Rick

CarlosFull · ‎01-16-2021

I hope so !!

CarlosFull · ‎01-15-2021

Hi, do you want that I to confess something to you ??? I had not looked at the third octet of the IP in the ACL, I had only focused on the mask !!!!

That's why I didn't understand where 12, 13, 14 and 15 came from !! Buffffffff

Of course you have helped me to understand it, a lot Thank you very much, Richard !!

Regards.

Richard Burts · ‎01-15-2021

Sometimes it is good to confess things. It is interesting that you had focused on the mask and not on the third octet of the address. So now you have learned an important lesson.

Good luck as you continue to learn about networking.

HTH

Rick

CarlosFull · ‎01-16-2021

And so much !! Next time that I see a scenario / exercise like this, it will be the first thing I look at, the octet involved of the IP in question xD. Thanks again