VLSM, Summerization, and Wildcard Masks

There is a site that just keeps popping out subnetting questions out, and it really helped me get it down. I was wondering if there is anything similar for VLSM, Summerization, and Wildcard Masks? Oh, and for summerization, I still don't understand it. I've looked around and havent found anything too helpful.

Thanks in advance.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

the_return_of_the_Ring

One advantage of summarization that I can feel at once is that summarization simplfies your routing table.

the routing table in a router contains all the networks it knows and the way to get to those networks. The routing table could be really huge if you don't set it wisely. And summarization can simplfy this.

for instance, say you have a company that needs 900 IPs. The IANA will not give one class B because your need is bigger than 255 IPs, instad, you can get 4 consecutive class C. But if you design your network as 4 regular class C, you're gonna have a lot of overheads on every router in your company. With summarization, the router at the border of your company and the internet can be light by just using 22 bit subnet mask.

EdTheLad

As Madonion has suggested summarization reduces the size of your routing table so less ram is used and routing table lookup is faster.Just imagine if there was no summarization, every router in the network would need to have an entry for every subnet.This would mean lots of ram is needed and also if any subnet fails every router in the network will be effected.Summarization reduces network visability,if you have a summarized route to net 192.168.0.0/16 and a network 192.168.1.0/24 afew hops away fails,the local routing table will not be effected because the router has a summarized route rather than the exact match 192.168.1.0/24.Without summarization the routing table would be modified and updates would need to be sent to neighbors.

Yankee

Route summarization sounds like a great idea but in the real world on large corporate networks it is often difficult to find proper locations to use it. In the past summarization was valuable on routers used for remote access (dial in). Every time a user dialed in a /32 advertisement was generated, so it was wise to summarize those sites to advertise only the larger network that the pool came from. Another place we found useful was between the US and Europe. This was made easier due to our limited paths crossing the pond and since the far larger portion of the network was in North America we only summarized Europe back. Finally you may find it valuable between the main company and a subsidary, where again the number of access points are limited.

Yankee

nuglobe

I understand the concepts I just need some practice questions for summerizing a list of addresses.

DW [banned]

Let me know.

nuglobe

point 2 point : xxx.xxx.xxx.0 255.255.255.252
20 hosts : xxx.xxx.xxx.4 255.255.255.224

Did I do that right?

As for the accesslist do you want them all to be permited? If so, I'm not sure. They might be able to if you came up with some crazy wildcard mask. Pretty lost.

DW [banned]

So far so good.

nuglobe

I still dont get wildcard masks. I understand simple ones like 0.0.255.255 but I dont understand how I can do the one you presented.

xwesleyxwillisx

DarbyWeaver wrote:

Now suppose I asked you to consider the following requirements:

Take the following subnets and create an ACL using only one line of code.

150.1.1.1
175.21.3.7
192.168.3.10

Can this be done? Yes or No and if Yes how and explain it and if not tell me why you think not.

Let me know.

Yes, it can be done.

128.0.0.0 127.255.255.255

Note, this matches all ip addresses from 128.0.0.0 to 255.255.255.255. This means this access-list would block exactly half of all usable IP addresses including the ones specified. However, I don't think this is what you were looking for; although, it is technically correct

EdTheLad

150.1.1.1
175.21.3.7
192.168.3.10

Maybe this is what you want?Tell us what your thinking is Darby, as i cant see any other possible answer to get a closer match.
128.0.0.0 127.191.3.15

nuglobe

ed_the_lad wrote:

150.1.1.1
175.21.3.7
192.168.3.10

Maybe this is what you want?Tell us what your thinking is Darby, as i cant see any other possible answer to get a closer match.
128.0.0.0 127.191.3.15

127 would be all bits on minus 128... How can you get 175 or 192 without using the 128 bit. Err I have 9 days till the test and I cant get this wildcard crap figured out.

Spudage

nuglobe wrote:

127 would be all bits on minus 128... How can you get 175 or 192 without using the 128 bit. Err I have 9 days till the test and I cant get this wildcard crap figured out.

A zero bit in the 128 position of the mask means that the corresponding bit in the address to the left must match... His address on the left has 128 in the first octet, so a zero bit in the mask means that it must also be 128.

Does that help? It's difficult to explain in writing.

nuglobe

So do I just find the normal subnet mask and invert it?

Spudage

nuglobe wrote:

So do I just find the normal subnet mask and invert it?

If you want to set access based on every host in the subnet, then yes that is correct. Below are two examples, one with an inverted subnet mask, and one with a different mask.

EXAMPLE 1: Using an inverted subnet mask to allow all hosts within the subnet
Example Network: 130.50.0.0
Subnet Mask: 255.255.0.0

If you create an access list using an inverted subnet mask, like so:
access-list 1 permit 130.50.0.0 0.0.255.255

any packet being checked by this ACL must have its first 2 octets as 130.50 otherwise it will be denied.

To see this more clearly you can look at the numbers in binary:

Network: 10000010 . 00110010 . 00000000 . 00000000
Mask:    00000000 . 00000000 . 11111111 . 11111111

Remembering that with ACLs a zero in the mask means that the address must match... this means that the first two octets (of the packet being tested) MUST be the same as the network address, because as you can see the mask has all zeros in those bit positions. The host positions however are all ones in the mask, so any combination of ones and zeros (and therefore ANY host number) can be used and pass this ACL.

EXAMPLE 2: Using a more specific mask to match a smaller group of hosts within the subnet
Example Network: 130.50.0.0
Subnet Mask: 255.255.0.0

Again we are using the same network as in example 1. However this time imagine that the IP addresses 130.50.0.1 through to 130.50.0.7 are all addresses assigned to servers. Imagine that you have been asked to permit only packets that have come from one of the servers. To achieve this, you obviously can't invert the subnet mask because you will allow packets from anywhere in the network through your ACL.

Instead a more specific mask like the one below would be used:
access-list 1 permit 130.50.0.0 0.0.0.7

Which in binary looks like:

Network: 10000010 . 00110010 . 00000000 . 00000000
Mask:    00000000 . 00000000 . 00000000 . 00000111

Looking at the mask you know that for a packet to pass this ACL it must have the first 3 octects the same as the network address (130.50.0) beause there is all zeros in the first three octets of the mask. With the last octet, you will notice that the first five bits must equal that of the network address (because they are zeros), however the last three bits can be any combination of ones and zeros. This meets your requirement of only permitting the hosts 130.50.0.1 through to 130.50.0.7

I hope this all made sense and that you find it helpful. Once you have a handle on those two examples, try to make an ACL that only permits hosts 130.50.0.16 through to 130.50.0.19

If you can't figure it out, let us know and we'll try to explain it a bit better

forbesl

Spudage wrote:

Instead a more specific mask like the one below would be used:
access-list 1 permit 130.50.0.0 0.0.0.248

Check this again. It won't do what you say it will do.

Spudage

forbesl wrote:

Check this again. It won't do what you say it will do.

Woops, in my haste I didn't write what I was thinking in my head