Optimising ACLs

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
All right!!

I have too many deny ip any host  in an Access-List.

Are there any scripts to optimise and find the ranges of the IPs in question?
--  
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!  
http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism
We thought, because we had power, we had wisdom.  -Stephen Vincent Benet  

Re: Optimising ACLs
Quoted text here. Click to load it

This is not for the crazy Cisco wildcard masks, but it does merge
IP addresses into CIDR subnets.  You can use it as a start.
It reads a list of IP addresses from stdin and outputs a series of
a.b.c.d/n lines.  You'll need to convert the /n back into wildcard masks.

#!/usr/bin/perl -w

use Net::CIDR::Lite;

my $cidr = Net::CIDR::Lite->new;

while (<>) {
   chomp;
   $cidr->add_ip($_);
}

my @list = $cidr->list();

print join("\n",@list) . "\n";

Re: Optimising ACLs
On Wednesday, October 22, 2014 2:09:58 AM UTC-5, Rob wrote:
Quoted text here. Click to load it

Rob,
What is the input format for this perl script?
thx,
Curtis

Re: Optimising ACLs
Quoted text here. Click to load it

A list of IP addresses, one per line.
When you use Windows it may be that you need to remove the \r by
adding s/\r//; on a line after the chomp;

Input:
192.168.2.2
192.168.2.3
192.168.2.4

Output:
192.168.2.2/31
192.168.2.4/32

So then you still need to transform /31 into 0.0.0.1
(those silly inverted netmasks used by Cisco)

Re: Optimising ACLs
Quoted text here. Click to load it

But if the device you're using needs those wildcard masks you'd want a
tool that takes  
192.168.2.2
192.168.2.6
and figures out the wildcard mask should be 0.0.0.11

--  
                    -- Rod --
rodd(at)polylogics(dot)com

Re: Optimising ACLs
Quoted text here. Click to load it

I think that example is wrong.  There may be cases where a noncontiguous
mask can be worked out, but not in cases like that.

This tool won't do that, it only groups adjacent addresses into contiguous
subnets.

Re: Optimising ACLs
Quoted text here. Click to load it

Oops, thats what I get for not double checking before typing,
the wildcard mask would be 0.0.0.4

Quoted text here. Click to load it

Thats my point about the perl script that was mentioned, converting to
CIDR and then manually examining the result is going to miss cases
that are far apart.

For instance with addresses like
10.170.34.56
10.186.34.56
they are probably going to be far enough apart in the resultant CIDR
list that you wouldn't notice you could use a 0.16.0.0 wildcard mask

Starting with a tool that collapses the list of IP's into a list of
CIDR's is better than nothing but if you're looking to produce the
smallest wildcard mask list possible what you need is a tool that
converts the IP list directly into wildcard masks.

--  
                    -- Rod --
rodd(at)polylogics(dot)com

Re: Optimising ACLs
wrote:

Quoted text here. Click to load it

That becomes an optimisation problem, not just because there may be  
multiple ways of choosing masks to cover your range - what's the best  
way to cover .2, .3 and .6, for instance? - but because you may be able  
to express something with a combination of both permits and denies.  You  
might also need to know the vagaries of your particular hardware and  
software platform because they have their own limits and optimisations.

KISS often works best.

Sam

--  
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Site Timeline