From: Michael Snyder (msnyder@revolutioncomputer.com)
Date: Sun Nov 23 2003 - 17:09:20 GMT-3
It does matter. You can't summarize different masks together mainly
because the final answer has to have the largest scope of any single
statement that made that summary.
I mean, if your networks were a 10.1.1.1/8 and a 10.2.1.1/30, you know
that's no way to the subnets blend together, so just by looking the
answer will be at least a /8 or maybe even a greater scope.
> access-list 10 permit 133.6.11.0 0.0.0.127
> access-list 10 permit 135.16.171.0 0.0.0.255
> access-list 10 permit 172.60.51.0 0.0.0.127
> access-list 10 permit 121.15.120.0 0.0.0.31
> access-list 10 permit 112.59.9.0 0.0.0.255
In this example, the different masks are meant to throw you off. The
answer has to be at least a /24
So lets normalize the list,
133.6.11.0
135.16.171.0
172.60.51.0
121.15.120.0
112.59.9.0
now using windows calc in decimal mode, lets do some octet equations.
First will check the first octet for a common network. If there isn't a
common network, then granddaddy of all summaries is the single line
answer. 0.0.0.0/0
133&135&172&121&112=0, which means there's no common network for a one
line answer, other than a default network.
There's only 5 networks, so lets check pairs for common networks.
133&135 = 133, there's common network.
Just checking against the others, 133&172=132, another common network.
Note that we're using the result of the preceding common network check
to check against the next network.
Using 132&121=0; no good.
Checking 132&112=0; also no good.
Maybe 121&112 are common to each other. 121&112=112, which means we can
have a two line solution. The first three networks, then the next two.
BTW, after the fact we could use a different subnet now that we know we
will have two lines. Remember we normalized on /24. Had both 121 and
112 been /27 we could have used /27 for them in the second statement.
But in this case the largest scope for both network summary statements
is still a /24.
A summary is defined as the networks `and` together for the common
network, then the values `or` together. Then take the two results and
`xor` for the wildcard mask.
You do one octet column at a time.
133.6.11.0
135.16.171.0
172.60.51.0
(133&135&172) xor (133|135|172)
answer 132, 132 xor 175
answer network 132 wildcard 43
Next octet,
(6&16&60) xor (6|16|60)
Network 0, 0 xor 62
Answer network 0 wildcard 62
Third octet
(11&171&51) xor (11|171|51)
Network 3, wildcard 184
Putting the answers together,
132.0.3.0 43.62.184.255
Applying the same treatment to
121.15.120.0
112.59.9.0
results as
112.11.8.0 9.52.113.255
My final answer
access-list 10 permit 132.0.3.0 43.62.184.255
access-list 10 permit 112.11.8.0 9.52.113.255
Checking my answer with boson wildcard util.
IP Address: 112.11.8.0
Wildcard mask: 9.52.113.255
First Octet Match(es)
112- 113
120- 121
Second Octet Match(es)
11
15
27
31
43
47
59
63
Third Octet Match(es)
8- 9
24- 25
40- 41
56- 57
72- 73
88- 89
104- 105
120- 121
Fourth Octet Match(es)
0- 255
IP Address: 132.0.3.0
Wildcard mask: 43.62.184.255
First Octet Match(es)
132- 135
140- 143
164- 167
172- 175
Second Octet Match(es)
0
2
4
6
8
10
12
14
16
18
20
22
24
26
28
30
32
34
36
38
40
42
44
46
48
50
52
54
56
58
60
62
Third Octet Match(es)
3
11
19
27
35
43
51
59
131
139
147
155
163
171
179
187
Fourth Octet Match(es)
0- 255
BTW, I have posted instructions for the decimal subnet method lately on
Groupstudy, just search for my posts in the last few weeks.
-----Original Message-----
From: Jonathan V Hays [mailto:jhays@jtan.com]
Sent: Sunday, November 23, 2003 10:24 AM
To: 'Edward Agostinho'; ccielab@groupstudy.com
Subject: RE: Summarizing Access-lists
It doesn't matter. Everything is done at the bit level.
-----Original Message-----
From: Edward Agostinho [mailto:edward@ceg.co.za]
Sent: Sunday, November 23, 2003 11:12 AM
To: Jonathan V Hays; ccielab@groupstudy.com
Subject: Re: Summarizing Access-lists
Thanks Jonathan but it still doesn't answer my question or am I
understanding it wrong?
Brian's examples use common /24 subnets....my question is, what if they
are
not common /24 but mixtures of /24, /25, /27 masks. Or doesn't it
matter?
Edward
----- Original Message -----
From: "Jonathan V Hays" <jhays@jtan.com>
To: "'Edward Agostinho'" <edward@ceg.co.za>; <ccielab@groupstudy.com>
Sent: Sunday, November 23, 2003 5:15 PM
Subject: RE: Summarizing Access-lists
> Check out this excellent post from Brian McGahan.
>
> http://www.groupstudy.com/archives/ccielab/200303/msg01685.html
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Edward Agostinho
> Sent: Sunday, November 23, 2003 9:58 AM
> To: ccielab@groupstudy.com
> Subject: Summarizing Access-lists
>
>
> Hi group
>
> How do we summarize access-lists with different subnet masks.
>
> Let's assume you are requested to summarize the following in the least
> amount
> of lines:
>
> access-list 10 permit 133.6.11.0 0.0.0.127
> access-list 10 permit 135.16.171.0 0.0.0.255
> access-list 10 permit 172.60.51.0 0.0.0.127
> access-list 10 permit 121.15.120.0 0.0.0.31
> access-list 10 permit 112.59.9.0 0.0.0.255
>
> Do I attempt to summarize:
>
> access-list 10 permit 133.6.11.0 0.0.0.127
> access-list 10 permit 172.60.51.0 0.0.0.127
>
> and
>
> access-list 10 permit 135.16.171.0 0.0.0.255
> access-list 10 permit 112.59.9.0 0.0.0.255
>
> and leave
>
> access-list 10 permit 121.15.120.0 0.0.0.31
>
> or do I ignore the masks and do a normal AND and XOR with the network
> portion
> of the addresses?
>
> I know how to summarize them if they all use /24 as the examples given
> by the
> rest of the group but never seen one with different subnet masks?
>
> Thanks
>
> Edward
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:16 GMT-3