Optimising ACLs

All right!!

I have too many deny ip any host in an Access-List.

Are there any scripts to optimise and find the ranges of the IPs in question?

Reply to
The Doctor
Loading thread data ...

This is not for the crazy Cisco wildcard masks, but it does merge IP addresses into CIDR subnets. You can use it as a start. It reads a list of IP addresses from stdin and outputs a series of a.b.c.d/n lines. You'll need to convert the /n back into wildcard masks.

#!/usr/bin/perl -w

use Net::CIDR::Lite;

my $cidr = Net::CIDR::Lite->new;

while () { chomp; $cidr->add_ip($_); }

my @list = $cidr->list();

print join("\n",@list) . "\n";

Reply to
Rob

Rob, What is the input format for this perl script? thx, Curtis

Reply to
born2frag

A list of IP addresses, one per line. When you use Windows it may be that you need to remove the \r by adding s/\r//; on a line after the chomp;

Input:

192.168.2.2 192.168.2.3 192.168.2.4

Output:

192.168.2.2/31 192.168.2.4/32

So then you still need to transform /31 into 0.0.0.1 (those silly inverted netmasks used by Cisco)

Reply to
Rob

But if the device you're using needs those wildcard masks you'd want a tool that takes

192.168.2.2 192.168.2.6 and figures out the wildcard mask should be 0.0.0.11
Reply to
Rod Dorman

I think that example is wrong. There may be cases where a noncontiguous mask can be worked out, but not in cases like that.

This tool won't do that, it only groups adjacent addresses into contiguous subnets.

Reply to
Rob

Oops, thats what I get for not double checking before typing, the wildcard mask would be 0.0.0.4

Thats my point about the perl script that was mentioned, converting to CIDR and then manually examining the result is going to miss cases that are far apart.

For instance with addresses like

10.170.34.56 10.186.34.56 they are probably going to be far enough apart in the resultant CIDR list that you wouldn't notice you could use a 0.16.0.0 wildcard mask

Starting with a tool that collapses the list of IP's into a list of CIDR's is better than nothing but if you're looking to produce the smallest wildcard mask list possible what you need is a tool that converts the IP list directly into wildcard masks.

Reply to
Rod Dorman

That becomes an optimisation problem, not just because there may be multiple ways of choosing masks to cover your range - what's the best way to cover .2, .3 and .6, for instance? - but because you may be able to express something with a combination of both permits and denies. You might also need to know the vagaries of your particular hardware and software platform because they have their own limits and optimisations.

KISS often works best.

Sam

Reply to
Sam Wilson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.