May 16, 2014

Summarization tricks

Route summarization is something really basic, but it is always useful. We can optimize ACLs with using some summarization tricks!

If we want to create an access rule for four destinations, we can use object-groups or, depending on the subnet addresses, we can summarize them and use only one address. For example:

Ex.1) Permit any IP traffic from inside to the destinations 192.0.2.0/29, 192.0.2.8/29, 192.0.2.16/28 and 192.0.2.32/27.

Converting the last octect of each address to binary numbers, we have:

00000000 (0)
00001000 (8)
00010000 (16)
00100000 (32)

Performing a binary AND operation, the summarization result is: 192.0.2.0/26. With only one subnet/netmask, we cover all the destinations:

access-list inside permit ip any 192.0.2.0 255.255.255.192

OK... this is really basic and nothing that we've never seen before. Now let's try something more interesting.

Ex.2) Permit any IP traffic from inside to the destinations 172.16.0.0/24, 172.16.2.0/24, 172.16.8.0/24 and 172.16.10.0/24

Converting the third octect of each address to binary numbers, we have:

00000000 (0)
00000010 (2)
00001000 (8)
00001010 (10)

Using the well known method for summarization, the result would be 172.16.0.0/20. However it's not valid for our access rule because it includes subnets that are not needed (172.16.1.0/24, 172.16.3.0/24, 172.16.4.0/22, etc).

We can use non-contiguous netmask to improve our result!

When we are creating a netmask, we convert all the bits that have a fix value to 1. In this case we have:

11111111.11111111.11110101.00000000 (255.255.245.0)

Thus if we create the following access rule:

access-list inside permit ip any 172.16.0.0 255.255.245.0

We have the same result as creating four access rules to the mentioned destinations.

ASA accepts non-contiguous netmasks on access rules, but not on static routes. Note that as many of other articles in this blog, this is just a prove of concept and I do not recommend using non-contiguous netmasks on production devices.

Have fun!

No comments:

Post a Comment