Aggregated Access Lists

You can use much shorter access lists by aggregating deny statements.  This requires a special inspection of the addresses you want to block (or accept), and is difficult to figure out.  The trick is to use masks that include ranges of IP addresses.  The Bogon list can be aggregated nicely, and you will see that there are both non-aggregated and aggregated lists on the Bogon site.

Here is how it works - we show a couple of examples.

Example 1

Imagine that two packets come in - with network addresses 0.0.0.0 and 1.0.0.0  and we need to block both.

Non-Aggregated List entries
0.0.0.0 255.0.0.0
1.0.0.0 255.0.0.0

Aggragated List entry
0.0.0.0 254.0.0.0

Non-Aggregated

With the non-aggregated list, there are two entries, one for 0.0.0.0 and another for 1.0.0.0.  So if a packet comes in from network 0.0.0.0 and another from 1.0.0.0:

Address:   00000000.00000000.00000000.00000000
Mask:       11111111.00000000.00000000.00000000
Network = 0, so the access list entry 0.0.0.0  255.0.0.0 blocks it


Address:   00000001.00000000.00000000.00000000
Mask:       11111111.00000000.00000000.00000000
Network = 1, so the access list entry 1.0.0.0  255.0.0.0 blocks it

*** 2 entries are required - both are /8

The mask tells the router that the network portion of the address is 8 bits, and the host is 24 bits.  The router will see the packet come in, uses the mask to identify the network address as 1, and matches it to it's ACL list entry 1.0.0.0 as a deny entry, and will block it.

Aggregated

With the aggregated list, there is no entry for 1.0.0.0  -  but there is one for 0.0.0.0 with a mask of 254.0.0.0 - so if a packet come in from network 0.0.0.0 and another from 1.0.0.0:

Address:   00000000.00000000.00000000.00000000
Mask:         11111110.00000000.00000000.00000000
Network = 0, so the access list entry 0.0.0.0  254.0.0.0 blocks it


Address:   00000001.00000000.00000000.00000000
Mask:         11111110.00000000.00000000.00000000
Network = 0, so the same access list entry 0.0.0.0  254.0.0.0 blocks it

*** 1 entry is required - a /7

The mask tells the router that the network portion of the address is 7 bits, and the host is 25 bits.  The router will see the packet come in, uses the mask to identify the network address as 0, and matches it to it's ACL list entry 0.0.0.0 as a deny entry, and will block it.

OK so for that particular network of 1.x.x.x it will be successfully blocked using either list.  We have aggregated two entries (0.0.0.0 255.0.0.0 and  1.0.0.0  255.0.0.0) into one entry (0.0.0.0   254.0.0.0).

 


 Example 2

Imagine that two 10 packets come in - with network addresses 70.0.0.0 through 79.0.0.0 and we need to block all of them.  Amazingly, this can be done with just two entries, as you will see:

Non-Aggregated
70.0.0.0 255.0.0.0
71.0.0.0 255.0.0.0
72.0.0.0 255.0.0.0
73.0.0.0 255.0.0.0
74.0.0.0 255.0.0.0
75.0.0.0 255.0.0.0
76.0.0.0 255.0.0.0
77.0.0.0 255.0.0.0
78.0.0.0 255.0.0.0
79.0.0.0 255.0.0.0

Aggregated
70.0.0.0 254.0.0.0
72.0.0.0 248.0.0.0

It is obvious that the Non-Aggregated list will block all of these addresses, since it has a separate entry for each. But how does the aggregated list blck all ten network addresses using just two entries? Well, the first entry blocks 70 through 72, and the second entry blocks 73 through 79, as follows:

Address 70.0.0.0:   01000110.00000000.00000000.00000000
Mask 254:                11111110.00000000.00000000.00000000
Network = 70, so the access list entry 70.0.0.0  254.0.0.0 blocks it
----------------------------------------------------------------------------------------------------------------
Address 71.0.0.0:   01000101.00000000.00000000.00000000
Mask 254:                11111110.00000000.00000000.00000000
Network = 70, so the access list entry 70.0.0.0  254.0.0.0 blocks it
----------------------------------------------------------------------------------------------------------------
Address 72.0.0.0:   01001000.00000000.00000000.00000000
Mask 254:                11111110.00000000.00000000.00000000
Network = 72, so the access list entry 70.0.0.0  254.0.0.0 does not block it

Address 72.0.0.0:   01001000.00000000.00000000.00000000
Mask 248:                11111000.00000000.00000000.00000000
Network = 72, so the access list entry 72.0.0.0  248.0.0.0 blocks it
----------------------------------------------------------------------------------------------------------------
Address 73.0.0.0:   01001001.00000000.00000000.00000000
Mask 254:                11111110.00000000.00000000.00000000
Network = 72, so the access list entry 70.0.0.0  254.0.0.0 does not block it

Address 73.0.0.0:   01001001.00000000.00000000.00000000
Mask 248:                11111000.00000000.00000000.00000000
Network = 72, so the access list entry 72.0.0.0  248.0.0.0 blocks it
----------------------------------------------------------------------------------------------------------------
etc.
etc.
NOTE:  the remaining addresses 74.0.0.0, 75.0.0.0  .  .  .  .  79.0.0.0 -  all contain a value of 72 in their first 5 bits, which are masked by the the 5-bit mask, 248 - so they are also blocked by the entry     72.0.0.0 248.0.0.0