|
|
| vschristopher 2002-09-09, 9:24 am |
| Can someone explain to me how to deny partciular subnets in a network using TCP/IP Access lists (non-novell environment). The method i learnt is too complex to remember.
also can someone explain a simple method to convert hex to binary and binary to hex | |
| bassackwards 2002-09-09, 9:42 am |
| We haven't gotten into ACL's yet so I can't help you there, but I can definately help you with hex/binary conversion.
BIN HEX
0000 0
0001 1
0010 2
0011 3
0100 4
0101 5
0110 6
0111 7
1000 8
1001 9
1010 10(A)
1011 11(B)
1100 12(C)
1101 13(D)
1110 14(E)
1111 15(F)
Unlike binary which is 2 bits (1's and 0's), Hex is 16 bit (0-15). Say you have the hex # 4F6A. In binary it would look like: 0100 1111 0110 1010. The formula for converting HEX to Decimal is different but just as easy.
Hope this helps. | |
|
|
| vschristopher 2002-09-10, 12:38 pm |
| quote:
Originally posted by davidbeecken
www.ciscotrack.com/hex.html
David,
nothing abt ACL's 
lol ur doing ur CCNP man, help me in this
chris | |
| davidbeecken 2002-09-10, 1:15 pm |
| That was for your hex question  | |
| dmaftei 2002-09-10, 6:20 pm |
| quote:
Originally posted by vschristopher
Can someone explain to me how to deny partciular subnets in a network using TCP/IP Access lists (non-novell environment). The method i learnt is too complex to remember.
access-list 1 deny 192.168.1.0 0.0.0.255
access-list 1 permit any
The above will deny 192.168.1.0/24 and permit everything else. Is this easier than your 'too complex' method? | |
| kris108 2002-09-11, 11:40 am |
| What dmaftei said.
Dont forget to apply it to an interface!
Remember standard access lists only deny source IPs/networks, not destination. If you wanted to block access from network a to network b, use extended ACLs. | |
| wolverard 2002-09-13, 12:46 am |
| hi;
i think ACL is simply too..
to deny a particular subnet you must use wildcard masks. it's just like subnet masks but a bit different.
for example:
for a subnet 160.75.2.0/24
160.75.2.255/24
you can use a wildcard mask like: 0.0.0.255.
in a wildcard masks bits which equal to 0 mean CHECK and bits which equal to 1 mean IGNORE. for this example wildcard mask
0.0.0.255 equals 00000000.00000000.00000000.11111111
so you see tahat you must check 0's which is for 160.75.2 that means you can deny any packet from 160.75.2.x network.
to simply that (i think you would be happy now  ) just subtract 160.75.2.0 from 160.75.2.255 as you see
160.75.2.255 - 160.75.2.0 = 0.0.0.255 which is the wildcard mask of your network.
i wish everything is clear for you. if not you can mail me and i can explain you with more examples... | |
| pctekus 2002-09-13, 11:40 am |
| quote:
Originally posted by wolverard
hi;
i think ACL is simply too..
to simply that (i think you would be happy now ) just subtract 160.75.2.0 from 160.75.2.255 as you see
160.75.2.255 - 160.75.2.0 = 0.0.0.255 which is the wildcard mask of your network.
i wish everything is clear for you. if not you can mail me and i can explain you with more examples...
One of the best explanations for wildcard mask I have read. Where did you get this example? Cisco Press Campanion Guide (2nd year) is no where as clear as your example.
 | |
|
|
| vschristopher 2002-09-14, 12:44 am |
| WOw wolverard
its certaily is a good example, i will certainly study ur method
chris | |
| edmonds_robert 2002-09-17, 3:56 pm |
| I will offer a couple of rules to remember when applying access lists.
First and, in my very humble opinion, most important: when adding to or modifying an access list, always remove it from the affected interface first (no access-group command). This is because every access list ends with a deny any statement. This could result in all traffic being denied to the interface. And if it is the interface you are connected to, bang, you're out of there.
Second, create your access list in notepad, and go over it line by line (rememberin the deny any at the end) before pasting it to your running configuration. This will save you a lot of time running (or even worse driving) to a router with your laptop in hand to bring back up a network that you just brought down.
Finally, test the effects of access lists. Make sure that the traffic you want to pass is passed and the traffic you want to block is blocked. Nothing more, nothing less.
By the way, that explanation on wildcard masks rocks. Best job I've seen explaining it. Good Job! | |
| dmaftei 2002-09-17, 6:27 pm |
| quote:
Originally posted by wolverard
...
Excellent explanation, but let me nit-pick (hope you don't mind):
1. You want to deny subnet 192.168.1.0/26 (that's 192.168.1.0 through 192.168.1.63). How do you get the wildcard mask?
2. You want to deny all hosts that have odd addresses in 192.168.1.0 (that is, 192.168.1.1, 192.168.1.3, 192.168.1.5, etc). How do you get the wildcard mask?
Enjoy! | |
| edmonds_robert 2002-09-17, 8:06 pm |
| I'm going to take a stab at answering this question, and if I'm wrong, wolverard can correct me. (I get the impression this is more of a quiz than a question.)
1. You subtract the subnet mask of 255.255.255.192 from 255.255.255.255 and you are left with 63. So the resulting wildcard mask is 0.0.0.63.
2. I don't how the heck you would accomplish this. Since the 0's and 1's in masks represent what must match or can be ignored, I think you would be left creating a separate entry for each IP address with the wildcard mask of 0.0.0.0. And for the record, why the heck would you even think about doing this? | |
| dmaftei 2002-09-17, 8:29 pm |
| quote:
Originally posted by edmonds_robert
(I get the impression this is more of a quiz than a question.)
That is correct.
quote:
2.
...
And for the record, why the heck would you even think about doing this?
I heard some administrators use this kind of numbering scheme to differentiate between servers and workstations on their subnets. However, I think the real purpose of this problem is to test the full understanding of ACLs - in particular the wildcards. That is because wildcards do look like inverted masks most of the times, but they are not inverted masks. For instance:
- 255.255.255.253 is not a legal subnet mask
- 0.0.0.2 (the above "mask" inverted) is a legal wildcard
(BTW, the 255.255.255.255 - 255.255.255.253 = 0.0.0.2 trick still works, but you have to have the courage to think of 255.255.255.253 as a mask ) | |
| darthfeces 2002-09-17, 8:59 pm |
| ouch ... that's my head hurting
oh wait i get it now .... | |
| edmonds_robert 2002-09-18, 7:51 am |
| So does that mean that the answer to the second one is 0.0.0.2? That one I don't understand? How would it match the 1's and 0's to that? Hmmmmmmmm. | |
| wolverard 2002-09-19, 12:34 am |
| hmm i think being even or odd depends on the last bit of the subnet so:
all subnet is 255.255.255.255 which is
11111111.11111111.11111111.11111111 AND
your subnet is 255.255.255.254 which is
11111111.11111111.11111111.11111110 so if the last bit is 0 your subnet is even if it is 1 it is odd...
as you can see checking the last bit is enough so your wildcard mask is
0.0.0.1 here you can see both subnets are valid and wildcardmask is:
255.255.255.255 - 255.255.255.254
which equals to 0.0.0.1
... | |
| edmonds_robert 2002-09-19, 11:32 am |
| That doesn't work. Take the following example.
access-list 10 permit 172.16.1.10 0.0.0.1
This basically equates to:
access-list 10 permit 172.16.1.10 255.255.255.254
This doesn't mean look for even or odd, it means look for numbers on that subnet.
The wildcard mask tells the router HOW MANY IP addresses to allow through, not whether they are even or odd.
In the preceding example, 172.16.1.10 and 172.16.10.11 will be allowed through. Check the following link for a pretty clear explanation on wildcard masks:
http://www.twpm.com/internet/ccna/wildcardmasks.htm | |
| edmonds_robert 2002-09-19, 11:38 am |
| To make my above statement even clearer, break both the IP address and the wildcard mask into binary.
The IP address 172.16.1.10
10101100.00010000.00000001.00001010
The wildcard mask 0.0.0.1
00000000.00000000.00000000.00000001
What the wildcard mask tells you is wherever there is a 0 (zero), the IP address must match EXACTLY for it to be processed by the access list. Where there is a 1 (one), it doesn't matter.
In this example, the only place there is a 1 is the very last bit in the 32 bit address. That means the first 31 bits must match the first 31 bits in the IP address 172.16.1.10.
So the last bit can either be a 1 or a 0, meaning the only two IP addresses that will match will be 172.16.255.10 and 172.16.255.11.
10101100.00010000.00000001.00001011
is 172.16.255.11 in binary. Notice the first 31 bits match, but the 32nd bit is now a 1, which is ignored by the wildcard mask. | |
| edmonds_robert 2002-09-19, 11:49 am |
| I know that I am now officially rambling, but here goes anyway. Remember that wildcard masks work the same way (except backwards) as subnet masks. Meaning, that you can't skip bits when creating your mask. For example, 0.0.0.2 is not a valid wildcard mask, while 0.0.0.3 is. Check out the binary again.
0.0.0.2 is
00000000.00000000.00000000.00000010
0.0.0.3 is
00000000.00000000.00000000.00000011
You must use 1's in every bit position starting with the far right, and continue to fill in 1's in every bit position working left. | |
| dmaftei 2002-09-19, 6:57 pm |
| quote:
Originally posted by edmonds_robert
Meaning, that you can't skip bits when creating your mask. For example, 0.0.0.2 is not a valid wildcard mask
...
Yes, you can skip bits in your wildcard mask. That's the big difference between subnet masks, where you may not skip bits, and wildcard masks. (There are also differences in semantics, but that's another story). And 0.0.0.2 is a valid wildcard. For example:
access-list 1 permit 192.168.10.0 0.0.0.2
allows 192.168.10.0 and 192.168.10.2 and blocks everything else. Try it...
wolverard is right that the difference between adds and evens is given by the last bit in the address: 0 for evens, 1 for odds. So, when you want the odds in a class C subnet, you want to match the first three octets (that gives you 0.0.0. ), you don't care about the first seven bits in the fourth octet (gives you '1111111'), and you do want to match the last bit. So your wildcard will be:
00000000.00000000.00000000.11111110
which is 0.0.0.254. Now, 0.0.0.254 is 255.255.255.1 inverted, and, to the best of my knowledge, 255.255.255.1 is not a valid subnet mask...
To finish your access list you need to chose the address:
192.168.1.0 0.0.0.254 to permit/deny evens
192.168.1.1 0.0.0.254 to permit/deny odds
Finally, let me quote from edmonds_robert's excellent link:
quote:
For those that might challenge the above, remember this is the CCNA level.
We have to understand the concepts before we can get fancy.
And yes it does get a little fancier. You will probably not get tested for that
until you do CCIE or CCNP security specialist.
So, keep things in perspective... | |
|
| Big thanks to all the contributors on this thread.
I knew how to calculate 'straightforward' wildcard masks, but never really understood how and why they work.
Now I do, and furthermore I now understand better how this is implemented in routing topics, address-summarization and area-range - fundementals of OSPF routing in my CCNP studies.
Hippo
| |
| edmonds_robert 2002-09-19, 9:20 pm |
| I sit corrected and humbled. I thought I had a pretty firm grasp on wildcard masks. I found a wildcard mask calculator (FREE, my favorite word) at the following link, and it supports dmaftei's example. Thanks for the correction.
http://www.networkingfiles.com/Network/bosonipcalc.htm |
|
|
|