26 nov. 2011

Access-List and Wildcard Mask 


ACL and Wildcard mask can be determined based on AND (gives the network) and XOR (gives the wildcard mask) operations:
 
Example1:
Deny the following hosts in a single access-list statement:
    

  • 200.0.1.2
    • 

  • 200.0.1.10
    • 

  • 200.0.1.18
    • 

  • 200.0.1.26
    • 

  • 200.0.3.2
    • 

  • 200.0.3.10
    • 

  • 200.0.3.18
    • 

  • 200.0.3.26
    • 











 
 


  200.0.1.2
  11001000
  00000000
  00000001
  00000010
 



  200.0.1.10
  11001000
  00000000
  00000001
  00001010
 



  200.0.1.18
  11001000
  00000000
  00000001
  00010010
 



  200.0.1.26
  11001000
  00000000
  00000001
  00011010
 



  200.0.3.2
  11001000
  00000000
  00000011
  00000010
 



  200.0.3.10
  11001000
  00000000
  00000011
  00001010
 



  200.0.3.18
  11001000
  00000000
  00000011
  00010010
 



  200.0.3.26
  11001000
  00000000
  00000011
  00011010
 



  AND:
  
  
  
  
 



  200.0.1.2
  11001000
  00000000
  00000001
  00000010








 
 


  200.0.1.2
  11001000
  00000000
  00000001
  00000010
 



  200.0.1.10
  11001000
  00000000
  00000001
  00001010
 



  200.0.1.18
  11001000
  00000000
  00000001
  00010010
 



  200.0.1.26
  11001000
  00000000
  00000001
  00011010
 



  200.0.3.2
  11001000
  00000000
  00000011
  00000010
 



  200.0.3.10
  11001000
  00000000
  00000011
  00001010
 



  200.0.3.18
  11001000
  00000000
  00000011
  00010010
 



  200.0.3.26
  11001000
  00000000
  00000011
  00011010
 



  XOR:
  
  
  
  
 



  0.0.2.24
  00000000
  00000000
  00000010
  00011000
 





The acl would be:


access-list 1 deny 200.0.1.2 0.0.2.24
access-list 1 permit any

There may be overlaps.





Example2:


Deny the follwing networks from being received by RIPv2:

10.0.0.0/16
10.4.0.0/16
10.32.0.0/16
10.36.0.0/16





access-list 1 permit 10.0.0.0 0.36.0.0

How do we know if we are overlapping address space?
The amount of bits set in the wildcard mask directly corresponds to the number of addresses the access-list will match.

In the first case, the amount of bits set in the wildcard mask is 3. 3 bits set result in 256 combinations (23 = 8). There is overlap in this address space. However, the resulting access-list is the most specific match possible in one line.

In the second case, 2 bits are set in the wildcard mask, the 32 bit and the 4 bit. 2 bits set result in 4 combinations (22 = 4). In this case, it is evident that these four combinations are the said networks in question.
-
Libellés : , ,

NTP - ACL

NTP - Network Time Protocol Packet types: -  Control messages : don't bother with this. -  NTP request/update messages: used for time sy...

  • Unicast Reverse Path Forwarding (uRPF)
    Unicast Reverse Path Forwarding (uRPF) uRPF est une feature permettant d'éviter l'IP Spoofing. Lorsque urpf est activé sur une in...
  • NTP - ACL
    NTP - Network Time Protocol Packet types: -  Control messages : don't bother with this. -  NTP request/update messages: used for time sy...
  • Basic IPsec Virtual Tunnel Interface - VTI
    Le but est de monter un tunnel IPSec entre deux routeurs en utilisant des VTI. La clé partagée est: 1234. hostname R1 ! crypto isakm...