From: Scott Morris (swm@emanon.com)
Date: Sun Nov 23 2003 - 13:36:49 GMT-3
You would have to look at everything at the bit level to understand
what's going on. Per your example:
> access-list 10 permit 133.6.11.0 0.0.0.127
> access-list 10 permit 135.16.171.0 0.0.0.255
> access-list 10 permit 172.60.51.0 0.0.0.127
> access-list 10 permit 121.15.120.0 0.0.0.31
> access-list 10 permit 112.59.9.0 0.0.0.255
Treating common things together is important:
133.6.11.0/25
172.60.51.0/25
133 10000101
172 10101100
------------
Msk 00101001 = 3 bits difference
Just looking at that one octet alone, in order to summarize them, you'll
get eight possible matches for your summary. That's NOT counting the
other two octets yet (6 & 60) and (11 & 51), which each have multiple
bits as well.
135.16.171.0/24
112.59.9.0/24
Again, the same holds true...
112 01110000
135 10000111
--------------
Msk 11110111 = 7 bits of different
Looking at that, you will have 128 possible matches just in that octet
alone.
I'm not sure who created these particular networks. But you have to
address everything at the bit level and compare things that are similar
in nature! If you have too many bits of difference, you have too many
possible values. With the networks you have listed, the most concise
representation of those networks together (least number of lines) is
exactly how it is written now.
If you wish to lump them together, you'll get so many extra networks
permitted as well, that you may as well just do an "access-list 10
permit any"...
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
CISSP, JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Edward Agostinho
Sent: Sunday, November 23, 2003 11:12 AM
To: Jonathan V Hays; ccielab@groupstudy.com
Subject: Re: Summarizing Access-lists
Thanks Jonathan but it still doesn't answer my question or am I
understanding it wrong?
Brian's examples use common /24 subnets....my question is, what if they
are not common /24 but mixtures of /24, /25, /27 masks. Or doesn't it
matter?
Edward
----- Original Message -----
From: "Jonathan V Hays" <jhays@jtan.com>
To: "'Edward Agostinho'" <edward@ceg.co.za>; <ccielab@groupstudy.com>
Sent: Sunday, November 23, 2003 5:15 PM
Subject: RE: Summarizing Access-lists
> Check out this excellent post from Brian McGahan.
>
> http://www.groupstudy.com/archives/ccielab/200303/msg01685.html
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Edward Agostinho
> Sent: Sunday, November 23, 2003 9:58 AM
> To: ccielab@groupstudy.com
> Subject: Summarizing Access-lists
>
>
> Hi group
>
> How do we summarize access-lists with different subnet masks.
>
> Let's assume you are requested to summarize the following in the least
> amount of lines:
>
> access-list 10 permit 133.6.11.0 0.0.0.127
> access-list 10 permit 135.16.171.0 0.0.0.255
> access-list 10 permit 172.60.51.0 0.0.0.127
> access-list 10 permit 121.15.120.0 0.0.0.31
> access-list 10 permit 112.59.9.0 0.0.0.255
>
> Do I attempt to summarize:
>
> access-list 10 permit 133.6.11.0 0.0.0.127
> access-list 10 permit 172.60.51.0 0.0.0.127
>
> and
>
> access-list 10 permit 135.16.171.0 0.0.0.255
> access-list 10 permit 112.59.9.0 0.0.0.255
>
> and leave
>
> access-list 10 permit 121.15.120.0 0.0.0.31
>
> or do I ignore the masks and do a normal AND and XOR with the network
> portion of the addresses?
>
> I know how to summarize them if they all use /24 as the examples given
> by the rest of the group but never seen one with different subnet
> masks?
>
> Thanks
>
> Edward
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:16 GMT-3