| Author |
ACLs & Range of Addresses
|
|
| firechicken 2001-11-07, 11:07 am |
| Hi everyone.
It looks like I've forgotten some of my access list skills. Specifically, how a person would go about permitting/denying a range of addresses.
My Lammle book mentions something about "blocks", but I didn't understand what he was trying to say. My Cisco book is even lamer now (reagarding ACLs) than it was when I first read it.
I know there are binary-mastas lurking these forums  . Could you please give me a refresher on permitting/denying ranges?
TIA. | |
| depamo 2001-11-07, 11:15 am |
| Wildcard mask
Here is a little more. Just like you use a subnet mask to identify a group of IP Addresses, you use a Wildcard with ACL's to identify a group of IP's in the access list. | |
| elad-h 2001-11-07, 11:44 am |
| the blocks are scopes of numbers that tell the IOS the type of the access list .
like :
1..99 standart IP access lsit
100.199 extended IP access list
800..899 the standart IPX access list
here example :
enter
config t
access-list (ID number) and the destnetion IP number ( this rule is for the standart IP access list .
and then you need to assign the rule to interface | |
| firechicken 2001-11-07, 12:00 pm |
| Thanks for the replies.
Looks like I need to rephrase my question. If a person wanted to permit/deny 32, or 64, or etc. hosts on the 192.168.0 network, could you give me an example on how to do this? | |
| dmaftei 2001-11-07, 12:08 pm |
| quote:
Originally posted by firechicken
If a person wanted to permit/deny 32, or 64, or etc. hosts on the 192.168.0 network, could you give me an example on how to do this?
To deny 192.168.0.0 through 192.168.0.31 (a range of 32 addresses):
access-list 1 deny 192.168.0.0 0.0.0.31
To deny 192.168.0.64 through 192.168.0.127 (a range of 64 addresses):
access-list 2 deny 192.168.0.64 0.0.0.63
Take the second example. The wildcard is 00000000.00000000.00000000.00111111. The bits in the address that correspond to '1' in the wildcard are ignored; the bits in the address that correspond to '0' in the wildcard must match the corresponding bits in 192.168.0.64.
Did you remember now?  | |
| firechicken 2001-11-07, 1:13 pm |
| Thanks Dan...it's coming back to me now
What really threw me for a loop is a guy on another board proposed a "what if" scenario. He was saying, "What if we used a wildcard mask of 0.0.0.192?" (used with the 192.168.0 network). After that question, my confidence in access list knowedge took a beating.
Anyway...I'll go torture myself now with a few dozen access list scenarios. Thanks again! | |
| dmaftei 2001-11-07, 1:29 pm |
| quote:
Originally posted by firechicken
"What if we used a wildcard mask of 0.0.0.192?" (used with the 192.168.0 network).
access-list 1 deny 192.168.0.0 0.0.0.192
would deny exactly four addresses: 192.168.0.0, 192.168.0.64, 192.168.0.128 and 192.168.0.192. This is perfectly legal, and it goes on the line of the well known problem "how do I deny odd (or even) addresses in a subnet?". | |
| firechicken 2001-11-07, 2:51 pm |
| Since that wildcard mask would block the 192.168.0.0 address, wouldn't that translate into blocking the entire 192.168.0 network (assume a classful mask)? | |
| dmaftei 2001-11-07, 3:35 pm |
| quote:
Originally posted by firechicken
Since that wildcard mask would block the 192.168.0.0 address, wouldn't that translate into blocking the entire 192.168.0 network (assume a classful mask)?
No. The fact that an access list blocks an IP address that happens to be a subnet address in your subnetting scheme doesn't mean your entire subnet will be blocked. Keep in mind that access lists have no idea whatsoever about your subnetting.
An IP access list blocks/allows a set of IP addresses. That set of addresses may range from a single address ('access-list x deny host a.b.c.d' or its equivalent 'access-list x deny a.b.c.d 0.0.0.0') to the whole IP address space ('access-list x deny any' or its equivalent 'access-list x deny what.ever.you.want 255.255.255.255').
Consider the syntax of the access-list command:
access-list number deny|permit address wildcard
You control the set of IP addresses matched by your access list by choosing address and wildcard as you wish. Say your acl is:
access-list 1 deny 192.168.0.0 0.0.0.192
Look at the address and the wildcard in binary:
11000000.10101000.00000000.00000000
00000000.00000000.00000000.11000000
What you're saying here is: "I want to match those addresses that have 110000001010100000000000 in the first 24 bits, and 000000 in the last 6 bits. I don't care about bits 25 and 26." What are the possibilities for the 25th and the 26th bits? 00, 01, 10 and 11. So the set of IP addresses this list will match is composed of the following (the bits you don't care about are in bold):
11000000.10101000.00000000.00000000
11000000.10101000.00000000.01000000
11000000.10101000.00000000.10000000
11000000.10101000.00000000.11000000
which is 192.168.0.0, 192.168.0.64, 192.168.0.128 and 192.168.0.192. Any other address will not match!
Cheers! | |
| firechicken 2001-11-07, 4:28 pm |
| Thanks for your outstanding and thorough explanation. It seems easy when you do it. I'm sure I have it now, but just in case, I'd like to do another and someone can tell me if and where I go wrong, please.
[Forgive the verboseness, it's for my own sake]
Let's say we have an IP of 192.168.0.0 and a wildcard mask of 0.0.0.224 .
IP Address 192.168.0.0 in binary is
1100 0000.1010 1000.0000 0000.0000 0000
Wildcard mask 0.0.0.224 in binary is
0000 0000.0000 0000.0000 0000.1110 0000
Since the 25th, 26th, and 27th bits are unknown, there are 2^3 number of matches which could be made. Below are the possible matches (the last octet only for brevity's sake):
0000 0000 = .0
0010 0000 = .32
0100 0000 = .64
0110 0000 = .96
1000 0000 = .128
1010 0000 = .160
1100 0000 = .192
1110 0000 = .224
How's that, bud? | |
| dmaftei 2001-11-07, 5:21 pm |
| quote:
Originally posted by firechicken
How's that?
|
|
|
|