Unless a packet matches a permit statement before it matches a
deny statement or the last statement is processed, the packet will be discarded
without recourse or appeal. A simple example would be the following code
lines:
The preceding example shows two host addresses being blocked
(denied) and two being permitted. The fifth statement, while valid, serves no
purpose because the packet was already discarded in ACL line two and can’t be
recalled for ACL line five. This often happens when a person decides later to
allow an address and adds the line to an existing ACL, where it can only go to
the bottom of the stack. To change the order requires deleting the list and
re-creating it, although techniques for using Notepad exist that makes this much
less work than one might assume.
Source Identifier
The source identifier {source [source-wildcard] | any} is a choice between identified
host(s) or any host, which equates to all addresses or all packets. The
following example shows a common use of the Any option:
Rtr1#conf t
Rtr1(config)#access-list 15 deny 192.168.1.14
Rtr1(config)#access-list 15 deny 192.168.1.195
Rtr1(config)#access-list 15 permit 192.168.4.45
Rtr1(config)#access-list 15 permit 192.168.4.211
Rtr1(config)#access-list 15 permit any
Rtr1(config)#
The final statement allows all packets from any source address to
be permitted. Looking over the preceding results, what’s the impact of ACL Line
five on Lines one and two? None, just like last time, it’s too late for packets
identified by an earlier deny statement.
What is the impact of ACL Line five on Lines three and four? They
are now redundant; the result would be the same if they weren’t present at all.
A small amount of CPU usage could possibly be saved by rewriting the ACL to
eliminate them.
What would happen if the line access-list 15 deny 192.168.3.11 was
added now? Nothing, because the line would go to the bottom and, even if a
packet from that host appeared, it would be permitted by ACL line five before it
reached the new line.
Wildcard Masks
In identifying ranges of IP addresses, ACLs use a wildcard
mask instead of a subnet mask. Initially, they might look quite similar, but
closer observation reveals they’re basically opposites.
-
Subnet mask—a 32-bit binary value made up
of consecutive 1’s indicting the network identifier, which then switches to 0’s,
indicating the host. The functions and processes using the subnet mask, such as
routing or packet forwarding, have no interest in the host bits.
-
Wildcard mask—a 32-bit binary value made
up of consecutive 0’s indicating those bits that must match, and then changing
to 1’s, indicating either bit value (1 or 0) is okay. In most cases, the 0’s
represent the network identifier and the 1’s indicate the hosts to
include.
The following example compares the classful subnet mask (netmask)
for 192.168.1.0/24 with the wildcard mask. With both types of masks, the actual
comparisons in network devices are all being done in binary, not in decimal.
Address: 192.168.1.0 11000000.10101000.00000001.00000000
Netmask: 255.255.255.0 == /24 11111111.11111111.11111111.00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000.11111111
In this example, the netmask and wildcard mask are literally
opposites. This is true in all cases using classful addresses. The following
table shows the default host mask and the three classful netmask/wildcard mask
options.
The last entry is an example of a class A address subnetted to a
series of class C networks. Examples of each are demonstrated in the following
code output:
Rtr1#conf t
Rtr1(config)#access-list 15 deny 192.168.1.14 0.0.0.0
Rtr1(config)#access-list 15 deny 192.168.1.0 0.0.0.255
Rtr1(config)#access-list 15 permit 112.16.0.0 0.0.255.255
Rtr1(config)#access-list 15 permit 15.0.0.0 0.255.255.255
Rtr1(config)#access-list 15 permit 45.12.16.0.0.0.255
Rtr1(config)#access-list 15 permit any
Rtr1(config)#
Classful networks are quite easy because the change occurs on an
octet boundary. But what about identifying only a subnet or a supernet? A couple
of additional examples in decimal format might help.
Remember, each octet (8 bits) is interpreted separately when
converted to decimal. The following example shows the binary equivalents for the
subnet with addresses 192.168.1.16 to 192.168.1.31.
Address: 192.168.1.16 11000000.10101000.00000001.00010000
Netmask: 255.255.255.240 = /28 11111111.11111111.11111111.11110000
Wildcard: 0.0.0.15 00000000.00000000.00000000.00001111
The remaining rows are for the supernet with address range of
192.168.96.0 to 192.168.97.255.
Address: 192.168.96.0 11000000.10101000.01100000.00000000
Netmask: 255.255.254.0 == /23 11111111.11111111.11111110.00000000
Wildcard: 0.0.1.255 00000000.00000000.00000001.11111111
To create a wildcard mask for a subnet or supernet requires
understanding the previous concepts, but interpreting an existing properly
defined one is quite simple. The value 192.168.96.0 /19 (subnet mask:
255.255.224.0) has a wildcard mask of 0.0.31.255. The original value
192.168.96.0 is the starting value. Then add the wildcard mask octet by octet to
get the maximum value 192.168.(96+31).(0+255) or 192.168.127.255.
Creating a Wildcard Mask for a Subnet or Supernet
Creating a wildcard mask for a subnet or supernet can seem a
little overwhelming. After all, there must be an infinite number of
possibilities, right? No, like subnets few combinations occur. Figure A-2
shows a simple tool for demonstrating this.
The top table in Figure A-2 shows the eight bit positions in an octet
and their corresponding decimal values. The middle table represents carrying the
same logic out to 12 bits, which would be handy when working with
supernet—networks with more than 8 bits for host addresses. The bottom example
shows how the Binary Digits row can be used to calculate the decimal equivalent
of binary number. This process works for subnets as well: a 3-bit subnet mask
would be ones in the leftmost location equaling 224.
The table is built by counting bit positions, right to left, by
ones. The Value row also starts with one, and then doubles with each bit
position to the left.
Other information the table reveals is the limited number of
subnet increments that can be defined without ambiguity. These are the numbers
in the Value row. For example, a subnet mask of 5 bits (248) would have an
increment of 8 or values like the following:
Just as each of the previous values is a subnet address, each
value would also be the first value used with a wildcard mask. In this case, the
wildcard mask would be 0.0.0.7, as in 192.168.0.24 0.0.0.7, which identifies the
range 192.168.0.24–31. In the second octet, this would look like 192.168.24.0
0.0.7.255, which identifies the range 192.168.24.0-192.168.31.255.
Rule of thumb: the starting octet value must be a multiple of
a number on the Value line of the table (increment). The wildcard mask for that
same octet is the sum of the bits to the right of the Value line entry (always
one less than the increment). If the starting value is in the second or third
octet, the mask value is unique for that octet, but then all remaining octets
must be 255. So, if the increment is 32 and the starting value is 10.96.0.0,
then the mask is 0.31.255.255.
Exercise A-1
Objective: Practice the skills required to
interpret and create wildcard masks.
Required: Use the conversion table covered in
the text or any method you choose (except using a subnet calculator). To confirm
your results, the correct answers are at the end of the exercise.
|
1. |
What would be the starting address (first acceptable) and
ending address (last acceptable) for the address/mask combination 192.15.75.0
0.0.0.255? |
|
|
2. |
What would be the starting address and ending address for
the address/mask combination 172.16.0.0 0.0.255.255? |
|
|
3. |
What would be the starting address and ending address for
the address/mask combination 210.10.0.0 0.0.1.255? |
|
|
4. |
What would be the starting address and ending address for
the address/mask combination 209.10.25.128 0.0.0.31? |
|
|
5. |
What would be the starting address and wildcard mask for the
IP network 210.119.60.0/24? |
|
|
6. |
What would be the starting address and wildcard mask for the
IP host address 210.119.60.10/24? |
|
|
7. |
What would be the starting address and wildcard mask for the
third subnet of 192.168.145.0/26? |
|
|
8. |
What would be the starting address and wildcard mask for the
fifth subnet of 201.110.150.0/30? |
|
|
9. |
What would be the starting address and wildcard mask for the
second subnet of 145.110.0.0/18? |
|
Answers
|
1. |
192.15.75.0 to 192.15.75.255 |
|
2. |
172.16.0.0 to 172.16.255.255 |
|
3. |
210.1.10.0 to 210.1.11.255 |
|
4. |
209.10.25.128 to 209.10.25.159 |
|
5. |
210.119.60.0 0.0.0.255 |
|
6. |
210.119.60.10 0.0.0.0 |
|
7. |
192.168.145.128 0.0.0.63 |
|
8. |
201.110.150.16 0.0.0.3 |
|
9. |
145.110.64.0 0.0.63.255
|
Removing an Access List
To remove the entire list, type no access-list
acl-num in Global Configuration mode
or you can unapply the list by typing the no ip access-group
acl-num command while in the Interface
Configuration mode. The following code demonstrates both techniques:
Rtr1#config t
Rtr1(config)#no access-list 50
Rtr1(config)#int e0
Rtr1(config-if)#no ip access-group 50
If you remove the list, but leave the access-group command on versions of the IOS since v12.0, the
result is the same as if there were a single permit any list item. Older
versions defaulted to a deny any and would, therefore, block all
traffic.
Sections
Comments (0 posted)
Syndication
(total 2 votes)
