Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Address filtering occurs when you use ACL address wildcard masking to identify how to check or
ignore corresponding IP address bits. Wildcard masking for IP address bits uses the numbers 1 and
0 to identify how to treat the corresponding IP address bits, as follows:
■ Wildcard mask bit 0: Match the corresponding bit value in the address.
■ Wildcard mask bit 1: Do not check (ignore) the corresponding bit value in the address.
By carefully setting wildcard masks, you can permit or deny tests with one ACL statement. You
can select a single IP address or many IP addresses. Figure 6-9 illustrates how to check
corresponding address bits.
Figure 6-9 Wildcard Mask
NOTE A wildcard mask is sometimes referred to as an inverse mask.
0
0
0
1
1
0
0
0
1
1
0
1
0
1
1
0
1
0
1
1
0
1
1
1
1
0
1
1
1
1
0
1
1
0
1
0
1
1
0
1
=
=
=
=
=
128 64 32 16 8 4 2 1
Octect Bit Position and
Address Value for Bit
Examples
Match All Address Bits
(Match All)
Ignore Last 6
Address Bits
Ignore Last 4
Address Bits
Match Last 2
Address Bits
Do Not Check Address
(Ignore Bits in Octet)
220 Chapter 6: Managing Traffic with Access Control Lists
In Figure 6-10, an administrator wants to test a range of IP subnets that is to be permitted or
denied. Assume that the IP address is a Class B address (the first two octets are the network
number), with 8 bits of subnetting. (The third octet is for subnets.) The administrator wants to use
the IP wildcard masking bits to match subnets 172.30.16.0/24 to 172.30.31.0/24.
Figure 6-10 Masking a Range of Addresses
To use one ACL statement to match this range of subnets, use the IP address 172.30.16.0 in the
ACL, which is the first subnet to be matched, followed by the required wildcard mask.
The wildcard mask matches the first two octets (172.30) of the IP address using corresponding 0
bits in the first two octets of the wildcard mask.
Because there is no interest in an individual host, the wildcard mask ignores the final octet by using
the corresponding 1 bit in the wildcard mask. For example, the final octet of the wildcard mask is
255 in decimal.
In the third octet, where the subnet address occurs, the wildcard mask of decimal 15, or binary
00001111, matches the high-order 4 bits of the IP address. In this case, the wildcard mask matches
subnets starting with the 172.30.16.0/24 subnet. For the final (low-end) 4 bits in this octet, the
wildcard mask indicates that the bits can be ignored. In these positions, the address value can be
binary 0 or binary 1. Thus, the wildcard mask matches subnet 16, 17, 18, and so on up to subnet
31. The wildcard mask does not match other subnets.
In the example, the address 172.30.16.0 with the wildcard mask 0.0.15.255 matches subnets
172.30.16.0/24 to 172.30.31.0/24.
NOTE Wildcard masking for ACLs operates differently from an IP subnet mask. A “0” in a
bit position of the ACL mask indicates that the corresponding bit in the address must be matched.
A “1” in a bit position of the ACL mask indicates that the corresponding bit in the address is not
interesting and can be ignored.
0 0 0 1 0 0 0 0
0 0 0 0 1 1 1 1
Wildcard Mask:
Match
0
0
0
0
0
0
0
0
0
0
0
0
1
1
1
1
:
0
0
0
1
0
0
0
1
0
0
1
1
0
1
0
1
=
=
=
=
16
17
18
:
31
Don’t Care
Network.Host
172.30.16.0
Access Control List Operation 221
In some cases, you must use more than one ACL statement to match a range of subnets; for
example, to match 10.1.4.0/24 to 10.1.8.0/24, use 10.1.4.0 0.0.3.255 and 10.1.8.0 0.0.0.255.
The 0 and 1 bits in an ACL wildcard mask cause the ACL to either match or ignore the
corresponding bit in the IP address. Working with decimal representations of binary wildcard
mask bits can be tedious. For the most common uses of wildcard masking, you can use
abbreviations. These abbreviations reduce how many numbers you are required to enter while
configuring address test conditions. Figure 6-11 shows the wildcard masks used to match a
specific host or to match all (any) host.
Figure 6-11 Special Case Wildcard Masks
Instead of entering 172.30.16.29 0.0.0.0, you can use the string host 172.30.16.29. Using the
abbreviation host communicates the same test condition to the Cisco IOS ACL Software.
Instead of entering 0.0.0.0 255.255.255.255, you can use the word any by itself as the keyword.
Using the abbreviation any communicates the same test condition to the Cisco IOS ACL Software.
Summary of ACL Operations
The following summarizes the key points that were discussed in this section:
■ ACLs can be used for IP packet filtering or to identify traffic to assign it special handling.
■ ACLs perform top-down processing and can be configured for incoming or outgoing traffic.
■ You can create an ACL using a named or numbered ACL. Named or numbered ACLs can be
configured as standard or extended ACLs, which determines what they can filter.
■ Reflexive, dynamic, and time-based ACLs add more functionality to standard and extended
ACLs.
■ In a wildcard bit mask, a 0 bit means to match the corresponding address bit, and a 1 bit means
to ignore the corresponding address bit.
No comments:
Post a Comment