From: Michael Snyder (msnyder@revolutioncomputer.com)
Date: Mon Nov 24 2003 - 00:13:50 GMT-3
Yes.
If you think of a single network and continuous subnet mask, then you
have block of ip addresses.
If you include more than one blocks of addresses in a supernet, then the
supernet has to be a greater scope than the original scope.
While our summaries are using discontinuous masks, they still obey the
same rules, something smaller has to go into something larger for it to
fit.
BTW, the reason I use the concept of scopes, is because the mask slash
values confuse the issue. It's simpler to say a network mask with a
larger scope has more addresses than a network mask with a smaller
scope, which has less addresses.
-----Original Message-----
From: Edward Agostinho [mailto:edward@ceg.co.za]
Sent: Sunday, November 23, 2003 4:02 PM
To: Scott Morris; ccielab@groupstudy.com; Michael Snyder
Cc: 'Jonathan V Hays'
Subject: Re: Summarizing Access-lists
Scott / Michael
Thanks for the explanations....The access-list was one that I just
thought
out to bring the point of different subnet masks across.
I understand the principle now.
Michael
You mentioned that the answer needs to be at least a /24. Is that
because
the largest subnet size is a /24? If there was a /16 in the access-list
would the answer need to be a /16?
Thanks again
Edward
----- Original Message -----
From: "Michael Snyder" <msnyder@revolutioncomputer.com>
To: <ccielab@groupstudy.com>
Cc: "'Edward Agostinho'" <edward@ceg.co.za>; "'Jonathan V Hays'"
<jhays@jtan.com>
Sent: Sunday, November 23, 2003 10:09 PM
Subject: RE: Summarizing Access-lists
>
> It does matter. You can't summarize different masks together mainly
> because the final answer has to have the largest scope of any single
> statement that made that summary.
>
> I mean, if your networks were a 10.1.1.1/8 and a 10.2.1.1/30, you know
> that's no way to the subnets blend together, so just by looking the
> answer will be at least a /8 or maybe even a greater scope.
>
>
> > access-list 10 permit 133.6.11.0 0.0.0.127
> > access-list 10 permit 135.16.171.0 0.0.0.255
> > access-list 10 permit 172.60.51.0 0.0.0.127
> > access-list 10 permit 121.15.120.0 0.0.0.31
> > access-list 10 permit 112.59.9.0 0.0.0.255
>
> In this example, the different masks are meant to throw you off. The
> answer has to be at least a /24
>
> So lets normalize the list,
>
> 133.6.11.0
> 135.16.171.0
> 172.60.51.0
> 121.15.120.0
> 112.59.9.0
>
> now using windows calc in decimal mode, lets do some octet equations.
>
>
> First will check the first octet for a common network. If there isn't
a
> common network, then granddaddy of all summaries is the single line
> answer. 0.0.0.0/0
>
> 133&135&172&121&112=0, which means there's no common network for a one
> line answer, other than a default network.
>
> There's only 5 networks, so lets check pairs for common networks.
>
> 133&135 = 133, there's common network.
>
> Just checking against the others, 133&172=132, another common network.
>
> Note that we're using the result of the preceding common network check
> to check against the next network.
>
> Using 132&121=0; no good.
>
> Checking 132&112=0; also no good.
>
> Maybe 121&112 are common to each other. 121&112=112, which means we
can
> have a two line solution. The first three networks, then the next
two.
>
> BTW, after the fact we could use a different subnet now that we know
we
> will have two lines. Remember we normalized on /24. Had both 121 and
> 112 been /27 we could have used /27 for them in the second statement.
> But in this case the largest scope for both network summary statements
> is still a /24.
>
>
>
> A summary is defined as the networks `and` together for the common
> network, then the values `or` together. Then take the two results and
> `xor` for the wildcard mask.
>
> You do one octet column at a time.
>
> 133.6.11.0
> 135.16.171.0
> 172.60.51.0
>
> (133&135&172) xor (133|135|172)
>
> answer 132, 132 xor 175
>
> answer network 132 wildcard 43
>
>
> Next octet,
>
> (6&16&60) xor (6|16|60)
>
> Network 0, 0 xor 62
>
> Answer network 0 wildcard 62
>
>
> Third octet
>
> (11&171&51) xor (11|171|51)
>
> Network 3, wildcard 184
>
>
> Putting the answers together,
>
> 132.0.3.0 43.62.184.255
>
> Applying the same treatment to
>
>
> 121.15.120.0
> 112.59.9.0
>
> results as
>
> 112.11.8.0 9.52.113.255
>
>
>
> My final answer
>
>
> access-list 10 permit 132.0.3.0 43.62.184.255
> access-list 10 permit 112.11.8.0 9.52.113.255
>
>
> Checking my answer with boson wildcard util.
>
>
>
>
> IP Address: 112.11.8.0
> Wildcard mask: 9.52.113.255
>
> First Octet Match(es)
> 112- 113
> 120- 121
>
>
> Second Octet Match(es)
> 11
> 15
> 27
> 31
> 43
> 47
> 59
> 63
>
>
> Third Octet Match(es)
> 8- 9
> 24- 25
> 40- 41
> 56- 57
> 72- 73
> 88- 89
> 104- 105
> 120- 121
>
>
> Fourth Octet Match(es)
> 0- 255
>
>
> IP Address: 132.0.3.0
> Wildcard mask: 43.62.184.255
>
> First Octet Match(es)
> 132- 135
> 140- 143
> 164- 167
> 172- 175
>
>
> Second Octet Match(es)
> 0
> 2
> 4
> 6
> 8
> 10
> 12
> 14
> 16
> 18
> 20
> 22
> 24
> 26
> 28
> 30
> 32
> 34
> 36
> 38
> 40
> 42
> 44
> 46
> 48
> 50
> 52
> 54
> 56
> 58
> 60
> 62
>
>
> Third Octet Match(es)
> 3
> 11
> 19
> 27
> 35
> 43
> 51
> 59
> 131
> 139
> 147
> 155
> 163
> 171
> 179
> 187
>
>
> Fourth Octet Match(es)
> 0- 255
>
>
> BTW, I have posted instructions for the decimal subnet method lately
on
> Groupstudy, just search for my posts in the last few weeks.
>
>
> -----Original Message-----
> From: Jonathan V Hays [mailto:jhays@jtan.com]
> Sent: Sunday, November 23, 2003 10:24 AM
> To: 'Edward Agostinho'; ccielab@groupstudy.com
> Subject: RE: Summarizing Access-lists
>
> It doesn't matter. Everything is done at the bit level.
>
> -----Original Message-----
> From: Edward Agostinho [mailto:edward@ceg.co.za]
> Sent: Sunday, November 23, 2003 11:12 AM
> To: Jonathan V Hays; ccielab@groupstudy.com
> Subject: Re: Summarizing Access-lists
>
>
> Thanks Jonathan but it still doesn't answer my question or am I
> understanding it wrong?
>
> Brian's examples use common /24 subnets....my question is, what if
they
> are
> not common /24 but mixtures of /24, /25, /27 masks. Or doesn't it
> matter?
>
> Edward
>
> ----- Original Message -----
> From: "Jonathan V Hays" <jhays@jtan.com>
> To: "'Edward Agostinho'" <edward@ceg.co.za>; <ccielab@groupstudy.com>
> Sent: Sunday, November 23, 2003 5:15 PM
> Subject: RE: Summarizing Access-lists
>
>
> > Check out this excellent post from Brian McGahan.
> >
> > http://www.groupstudy.com/archives/ccielab/200303/msg01685.html
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Edward Agostinho
> > Sent: Sunday, November 23, 2003 9:58 AM
> > To: ccielab@groupstudy.com
> > Subject: Summarizing Access-lists
> >
> >
> > Hi group
> >
> > How do we summarize access-lists with different subnet masks.
> >
> > Let's assume you are requested to summarize the following in the
least
> > amount
> > of lines:
> >
> > access-list 10 permit 133.6.11.0 0.0.0.127
> > access-list 10 permit 135.16.171.0 0.0.0.255
> > access-list 10 permit 172.60.51.0 0.0.0.127
> > access-list 10 permit 121.15.120.0 0.0.0.31
> > access-list 10 permit 112.59.9.0 0.0.0.255
> >
> > Do I attempt to summarize:
> >
> > access-list 10 permit 133.6.11.0 0.0.0.127
> > access-list 10 permit 172.60.51.0 0.0.0.127
> >
> > and
> >
> > access-list 10 permit 135.16.171.0 0.0.0.255
> > access-list 10 permit 112.59.9.0 0.0.0.255
> >
> > and leave
> >
> > access-list 10 permit 121.15.120.0 0.0.0.31
> >
> > or do I ignore the masks and do a normal AND and XOR with the
network
> > portion
> > of the addresses?
> >
> > I know how to summarize them if they all use /24 as the examples
given
> > by the
> > rest of the group but never seen one with different subnet masks?
> >
> > Thanks
> >
> > Edward
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:16 GMT-3