Newbie needs help understanding IP summarization.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 09:26 AM
So I'm taking a Network Defense course as part of my Cybersecurity training on Cisco's SkillsforAll platform, and I'm a bit confused about an example of Wildcard Mask calculation that they are giving me. The example goes like this:
"Assume you needed an ACE in ACL 10 to permit only networks 192.168.10.0 and 192.168.11.0. These two networks could be summarized as 192.168.10.0/23 which is a subnet mask of 255.255.254.0. Again, you subtract the 255.255.254.0 subnet mask from 255.255.255.255, as shown in the table. This solution produces the wildcard mask 0.0.1.255 ."
What has me confused is how we got those two networks to summarize into 192.168.10.0/23. I tried looking up examples of address summarization, but none of them seem to fit this example. Can someone explain to me how these two addresses got rolled into one? Thanks
- Labels:
-
Other Community Feedback
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 09:44 AM
192.168.10.0/24 host from .10 1-254 total number 256
192.168.11.0/24 host from .11 1-254 total number 256
192.168.10.0/23 host from total number 512
I usually use online subnet calculator to check if the host is cover by summary address I use
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 10:05 AM
Hello @ted30 ,
>> Can someone explain to me how these two addresses got rolled into one? Thanks
My favourite approach is to go directly to binary on the interesting byte that in this case is the third one
192.168.10.0/24
192.168.11.0/24
we focus on the third octet or byte and we convert it in binary 10 = 00001010
In the same manner we convert 11 in binary : 11 = 00001011
Now it is clear that the two prefixes share the same first 23 bits and only the last bit (the less signficant bit ) of the third byte is different
So if you want to write an ACL that matches both prefixes you want an exact match on the first two bytes 192.168. and you want the first 7 bits of the third byte to match.
From this comes the fact that the ACL can be written as
permit 192.168.10.0 0.0.1.255
the 0 in wildcard mask requires an exact match for the first two bytes and the 1 in third position means that the third octet can be 0000 1010 or 00001011.
The final byte has 255 meaning that every value is allowed is a match.
Hope to help
Giuseppe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 02:49 PM - edited 09-26-2022 02:50 PM
Both @MHM Cisco World and @Giuseppe Larosa have provided great information, but if you understand subnetting, address summarization (and supernetting) is the "opposite".
For example we can subnet 192.168.4.0/24 into two /25s, 192.168.4.0/25 and 192.168.4.128/25, and those could be subnetted into two /26s, each, 192.168.4.0/26, 192.168.4.64/26 and 192.168.4.128/26, 192.168.4.192/26.
The "tricky" part of summarization (or supernetting) is, NOT overlooking the binary boundaries. I.e. we can summarize the forgoing two /25s into the /24 or all four /26s into the /24, but we cannot summarize 192.168.4.64/26 and 192.168.4.128/26 into a /25.
Or, more specific in your case, you could not summarize 192.168.9.0/24 and 192.168.10.0/24 or 192.168.11.0/25 and 192.168.12.0 into a /23.
What MHM and Giuseppe show/describe arre two ways to avoid creating incorrect summarization, but hopefully, the above, helps a bit to understand summarization is just the converse of subnetting.
Oh, and if you find subnet masks a bit confusing from wild card masks, in binary, they are the one and zeros opposites of each other. If a subnet mask is 11111110 (254), the wild card mask would be 00000001 (1). IPv4 dotted decimal notation sort of "hides" that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 05:27 PM
ted30,
Glad you are curious and interested in the concepts!
Here is a fundamental method of figuring out Route Summarization and Wildcard Masks.
Route Summarization - What Network bits match between the routes?
Use logical bitwise ANDing to compare the network bits.
|<-------Network bits------->|
192.168.10.0/24 = 11000000.10101000.0000101 0.00000000 = Route 1
192.168.11.0/24 = 11000000.10101000.0000101 1.00000000 = Route 2
--------------------------------------
192.168.10.0/23 = 11000000.10101000.0000101 0.00000000 = Summarized Route
|<--Matching Network bits-->|
A Wildcard Mask is the inverse (opposite) of the Subnet Mask.
Take the binary subnet mask and flip each bit - Example: "1 to 0" or "0 to 1".
255.255.254. 0 = 11111111.11111111.11111110.00000000 = Subnet Mask
0. 0. 1.255 = 00000000.00000000.00000001.11111111 = Wildcard Mask
@MHM Cisco World, @Giuseppe Larosa. and @Joseph W. Doherty have all posted similar and additional information.
Remember to mark helpful posts and mark the correct answer as a solution - that helps other users with similar questions.
