Skip navigation
Cisco Learning Home > Learning Center > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
1186 Views 21 Replies Latest reply: Apr 4, 2012 2:26 PM by DelVonte RSS 1 2 Previous Next

Currently Being Moderated

ACL's summarization..... Again

Apr 3, 2012 11:07 AM

Hey guys,

 

 

 

I have another question about summarization of acls.

 

So I have,

 

Deny addresses from 172.22.75.8 - 172.22.75.127

 

8 binary- 00001000

127 binary-01111111

 

I'm thinking it would be

 

01111000 =120

or

0.0.0.120 for the wild card mask

 

Is this part right?

 

 

 

Now I would start at the source addresses of 172.22.75.8 ..... Not the 172.22.75.0

------------------------------------------------------------------------------------------------------------------

 

Or should I just do

 

permit addresses 172.22.75.0 -.7 with 172.22.75.0 0.0.0.7

 

then

 

deny addresses 172.22.75.0 - 127 with 172.22.75.0 0.0.0.127

 

since the first one is done first this will still work

 

 

Thanks,

 

 

Dean

  • Currently Being Moderated
    1. Apr 3, 2012 11:10 AM (in response to Cameron Hughes)
    Re: ACL's summarization..... Again

    If in the wildcard mask the 1s are don't cares, and the 0s are matched, and the source address/mask pair is 172.22.75.8 0.0.0.120, then you have:

     

    00001000

    01111000

     

    0xxxx000  ----> you would never have odd numbers that are matched.

     

    That would give you even values of binary:

     

    00001000

    00010000

    00011000

    00100000

    00101000

    00110000

    00111000

    01000000

    .............

    01111000

     

    Which is 8, 16, 24, 32, 40, 48, 56, 64, 72, ... , 120. So I could be wrong, but I think the mask would be 01110111, which translates to 119.

     

    That way, the 4th and 8th bit positions have to be matched as the source address. It would start at 8 and go up to 127.

     

    Regards,

    DelVonte

  • m1xed0s 64 posts since
    Oct 24, 2010
    Currently Being Moderated
    2. Apr 3, 2012 11:19 AM (in response to Cameron Hughes)
    Re: ACL's summarization..... Again

    I would do something like this:

     

    ip access-list deny ip network 172.22.75.0 0.0.0127 any

     

    I might be wrong but I do not think you can use single wildcard mask to match exact number of 120 ip addresses.

  • Currently Being Moderated
    3. Apr 3, 2012 11:14 AM (in response to Cameron Hughes)
    Re: ACL's summarization..... Again

    The two statements would work as well, and they would be easier to understand.

  • sambotech12 727 posts since
    Apr 3, 2012
    Currently Being Moderated
    6. Apr 3, 2012 1:21 PM (in response to Cameron Hughes)
    Re: ACL's summarization..... Again

    Hey,

     

    If your acl statement is

     

    deny 172.22.75.0 0.0.0.120

     

    I think you're blocking hosts where, in the last octet, bits 4-7 can be either 1 or 0, AND bits 1-3 and 8 have to be 0.  Besides that, if the only statement in you're ACL is to deny, nothing will pass.  I think you need a couple of statements in an ACL to block a range of addresses such as 172.22.75.8 - 172.22.75.127 such as

     

    permit 172.22.75.0 0.0.0.7

    permit 172.22.75.128 0.0.0.127

     

    The implicit 'deny any' will block the addresses 172.22.75.8 - 172.22.75.127 so you don't need a deny statement.

     

    Good luck,

     

    sambotech12

  • Currently Being Moderated
    7. Apr 3, 2012 12:12 PM (in response to Cameron Hughes)
    Re: ACL's summarization..... Again

    Sorry Dean, I'm not sure I understand what you wrote in this last message.

     

    Its all based on matching bits. If you want to start off at 8, thats fine, but if your mask was 120, your source address/mask pair would exclude all odd numbers because of the 0 in the 1st bit of the mask. Every address would then need to have a 0 in the 1st bit in order to be matched by the mask.

     

    Also, since there are zeroes in th 2nd and 3rd bit positions as well, that also makes all sourced addreses a factor of 8. Each source address would need zeroes in the 1st 3 bit positions to be matched.

     

    So what I'm guessing you want, and why I came to 119, is that you want it to start at 8, so that bit is set at sero. Then you want it to be less than 128, so that bit is also set at zero.

     

    Which means the other bit positions are 1s, don't cares. I did this in binary first, then converted to decimal.

  • Currently Being Moderated
    8. Apr 3, 2012 12:28 PM (in response to Cameron Hughes)
    Re: ACL's summarization..... Again

    Also, you may want to post these types of questions in one of the higher-up forums, that way you get more insight from some of the CCIEs. Most of us never use these types of ACLs, and they are rarely (if ever) tested on in the Associate and Professional certs. It is more theoretical, and not best practice.

  • Currently Being Moderated
    12. Apr 3, 2012 12:56 PM (in response to Cameron Hughes)
    Re: ACL's summarization..... Again

    Maybe we are not on the same page as far as bit positions go, I'm reading from right to left.  On the far left is the 8th bit, and the far right is the 1st bit.

     

    The first bit controls even and odd, as it is either 0 or 1, in binary and decimal.

     

    So if I had 119, then it would be 01110111 in binary.

     

    With the wildcard mask, it would ignore the 1s and focus on the 0s. The 0s would be required to match the source address, which in this case is 8 for the 4th octet, or 00001000.

     

    So the only values that have to be matched are the 8th bit and 4th bit. Like so:

     

    00001000 = 8

    01110111 = 119 mask

     

    0xxx1xxx ------> Every source address has to have this bit pattern in the 4th octet. That would give you a range of possible values between 8 and 127.

     

    Regards,

    DelVonte

     

    Message was edited by: DelVonte to avoid confusion

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)