1 2 Previous Next 21 Replies Latest reply: Apr 4, 2012 2:26 PM by DelVonte RSS

    ACL's summarization..... Again

    Cameron Hughes

      Hey guys,




      I have another question about summarization of acls.


      So I have,


      Deny addresses from -


      8 binary- 00001000

      127 binary-01111111


      I'm thinking it would be


      01111000 =120

      or for the wild card mask


      Is this part right?




      Now I would start at the source addresses of ..... Not the



      Or should I just do


      permit addresses -.7 with




      deny addresses - 127 with


      since the first one is done first this will still work







        • 1. Re: ACL's summarization..... Again

          If in the wildcard mask the 1s are don't cares, and the 0s are matched, and the source address/mask pair is, then you have:





          0xxxx000  ----> you would never have odd numbers that are matched.


          That would give you even values of binary:













          Which is 8, 16, 24, 32, 40, 48, 56, 64, 72, ... , 120. So I could be wrong, but I think the mask would be 01110111, which translates to 119.


          That way, the 4th and 8th bit positions have to be matched as the source address. It would start at 8 and go up to 127.




          • 2. Re: ACL's summarization..... Again

            I would do something like this:


            ip access-list deny ip network 0.0.0127 any


            I might be wrong but I do not think you can use single wildcard mask to match exact number of 120 ip addresses.

            • 3. Re: ACL's summarization..... Again

              The two statements would work as well, and they would be easier to understand.

              • 4. Re: ACL's summarization..... Again
                Cameron Hughes




                Yes you are right but you need to first put in the permit 0-7 cmd. then the deny 8-127.





                • 5. Re: ACL's summarization..... Again
                  Cameron Hughes

                  I agree with you  about the 2 cmds being easier and better to see but

                  8 would be counted as well.


                  so 120....... 8=1 9=2 10=3 .... 17=10 ......10*12 =120 from 17 =127


                  so 127=120    Right?




                  • 6. Re: ACL's summarization..... Again



                    If your acl statement is




                    I think you're blocking hosts where, in the last octet, bits 4-7 can be either 1 or 0, AND bits 1-3 and 8 have to be 0.  Besides that, if the only statement in you're ACL is to deny, nothing will pass.  I think you need a couple of statements in an ACL to block a range of addresses such as - such as





                    The implicit 'deny any' will block the addresses - so you don't need a deny statement.


                    Good luck,



                    • 7. Re: ACL's summarization..... Again

                      Sorry Dean, I'm not sure I understand what you wrote in this last message.


                      Its all based on matching bits. If you want to start off at 8, thats fine, but if your mask was 120, your source address/mask pair would exclude all odd numbers because of the 0 in the 1st bit of the mask. Every address would then need to have a 0 in the 1st bit in order to be matched by the mask.


                      Also, since there are zeroes in th 2nd and 3rd bit positions as well, that also makes all sourced addreses a factor of 8. Each source address would need zeroes in the 1st 3 bit positions to be matched.


                      So what I'm guessing you want, and why I came to 119, is that you want it to start at 8, so that bit is set at sero. Then you want it to be less than 128, so that bit is also set at zero.


                      Which means the other bit positions are 1s, don't cares. I did this in binary first, then converted to decimal.

                      • 8. Re: ACL's summarization..... Again

                        Also, you may want to post these types of questions in one of the higher-up forums, that way you get more insight from some of the CCIEs. Most of us never use these types of ACLs, and they are rarely (if ever) tested on in the Associate and Professional certs. It is more theoretical, and not best practice.

                        • 9. Re: ACL's summarization..... Again
                          Cameron Hughes

                          I understand now with the 119. but with the zero set in 8 position wouldn't this always have to be a zero? so how would you get 9 or 10...15 then how about 24,25,26,... so on ....


                          Or if you had it always on how would you get a 17,18,19, and so on



                          Sorry about this I just trying to understand the best I can. I understand when it jumps from octec like but trying to sum this one has been harder for me to summarize down



                          Thanks guys,




                          • 10. Re: ACL's summarization..... Again
                            Cameron Hughes

                            I see what you mean by the 0 120 I didn't notice till you pointed it out. I was just typing away....







                            • 11. Re: ACL's summarization..... Again
                              Cameron Hughes

                              Thanks for that info about where to post, I"ll start doing that


                              Since I'm in netacad we have homework and that's one of the problems and I understand how to do it with the extra cmds but was just seeing if I could compile it down into a summarization cmd.







                              • 12. Re: ACL's summarization..... Again

                                Maybe we are not on the same page as far as bit positions go, I'm reading from right to left.  On the far left is the 8th bit, and the far right is the 1st bit.


                                The first bit controls even and odd, as it is either 0 or 1, in binary and decimal.


                                So if I had 119, then it would be 01110111 in binary.


                                With the wildcard mask, it would ignore the 1s and focus on the 0s. The 0s would be required to match the source address, which in this case is 8 for the 4th octet, or 00001000.


                                So the only values that have to be matched are the 8th bit and 4th bit. Like so:


                                00001000 = 8

                                01110111 = 119 mask


                                0xxx1xxx ------> Every source address has to have this bit pattern in the 4th octet. That would give you a range of possible values between 8 and 127.





                                Message was edited by: DelVonte to avoid confusion

                                • 13. Re: ACL's summarization..... Again
                                  Cameron Hughes

                                  Yeah i understand that. But you couldn't use this for 17,18,19,20..so on you could for


                                  16+8+ whatever but anthing inbetween the 16 and 8 couldn't work . since you have to have 8 "on"



                                  Same with 32+8  and so on





                                  • 14. Re: ACL's summarization..... Again
                                    Cameron Hughes

                                    I want to say that every wild card that does not use a "broadcast address" or a common wildcard mask (255,31,etc) Then  You   can not have a group of addresses in a row.



                                    yeah you might have all evens or all odds but there not in a row.



                                    If that makes sense.






                                    1 2 Previous Next