All right!!
I have too many deny ip any host in an Access-List.
Are there any scripts to optimise and find the ranges of the IPs in question?
All right!!
I have too many deny ip any host in an Access-List.
Are there any scripts to optimise and find the ranges of the IPs in question?
This is not for the crazy Cisco wildcard masks, but it does merge IP addresses into CIDR subnets. You can use it as a start. It reads a list of IP addresses from stdin and outputs a series of a.b.c.d/n lines. You'll need to convert the /n back into wildcard masks.
#!/usr/bin/perl -w
use Net::CIDR::Lite;
my $cidr = Net::CIDR::Lite->new;
while () { chomp; $cidr->add_ip($_); }
my @list = $cidr->list();
print join("\n",@list) . "\n";
Rob, What is the input format for this perl script? thx, Curtis
A list of IP addresses, one per line. When you use Windows it may be that you need to remove the \r by adding s/\r//; on a line after the chomp;
Input:
192.168.2.2 192.168.2.3 192.168.2.4Output:
192.168.2.2/31 192.168.2.4/32So then you still need to transform /31 into 0.0.0.1 (those silly inverted netmasks used by Cisco)
But if the device you're using needs those wildcard masks you'd want a tool that takes
192.168.2.2 192.168.2.6 and figures out the wildcard mask should be 0.0.0.11
I think that example is wrong. There may be cases where a noncontiguous mask can be worked out, but not in cases like that.
This tool won't do that, it only groups adjacent addresses into contiguous subnets.
Oops, thats what I get for not double checking before typing, the wildcard mask would be 0.0.0.4
Thats my point about the perl script that was mentioned, converting to CIDR and then manually examining the result is going to miss cases that are far apart.
For instance with addresses like
10.170.34.56 10.186.34.56 they are probably going to be far enough apart in the resultant CIDR list that you wouldn't notice you could use a 0.16.0.0 wildcard maskStarting with a tool that collapses the list of IP's into a list of CIDR's is better than nothing but if you're looking to produce the smallest wildcard mask list possible what you need is a tool that converts the IP list directly into wildcard masks.
That becomes an optimisation problem, not just because there may be multiple ways of choosing masks to cover your range - what's the best way to cover .2, .3 and .6, for instance? - but because you may be able to express something with a combination of both permits and denies. You might also need to know the vagaries of your particular hardware and software platform because they have their own limits and optimisations.
KISS often works best.
Sam
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.