Solved: Non-standard wildcard masks for ACLs

John Blakley · ‎04-25-2012

Okay....I've been avoiding this post like the plague, but I still don't think that I have a real good grasp on this so here it goes:

Let's say that I want to allow 192.168.16.52 and 192.168.19.56 networks access to telnet. There are network 192.168.3.0 - 15.0 in between. Aside from allowing the 2 subnets specifically, I want to create a mask that allows the 2 only.

192.168.16.52

192.168.19.56

16 = 3rd octet = 00010000

19 = 3rd octet = 00010011

52 = 00110100

56 = 00111000

So, my acl would look like:

access-list permit tcp 192.168.16.0 0.0.15.?

I've found extreme examples from INE that state to AND the 2 addresses and then XOR for the mask:

So:

192.168.16.0 0.0.15.12? Does that look correct?

Any examples would help...

Thanks!

John

HTH, John *** Please rate all useful posts ***

Dan-Ciprian Cicioiu · ‎04-25-2012

Hi John,

The wildcard rule is : 0 - network bit exact match and 1 - any bit (0/1)

So in your case : - the first 2 octets must match

192.168.16.52 = 192. 168 + 0001 0000 . 0011 0100

192.168.19.56 = 192. 168 + 0001 0011 . 0011 1000

wild card last 2 otets 0000 0011 . 0000 1100 = 0.0.3.12

network 192.168.16.48

result 192.168.16.48 0.0.3.12

On network you will use the bits that match

On wildcasd the bits that match they have to be 0 ( excat match ) , and the ones that dont match can be either 0 or 1 ( 1 means any bit)

I hope it helps.

Dan

View solution in original post

Dan-Ciprian Cicioiu · ‎04-25-2012

Hi John,

The wildcard rule is : 0 - network bit exact match and 1 - any bit (0/1)

So in your case : - the first 2 octets must match

192.168.16.52 = 192. 168 + 0001 0000 . 0011 0100

192.168.19.56 = 192. 168 + 0001 0011 . 0011 1000

wild card last 2 otets 0000 0011 . 0000 1100 = 0.0.3.12

network 192.168.16.48

result 192.168.16.48 0.0.3.12

On network you will use the bits that match

On wildcasd the bits that match they have to be 0 ( excat match ) , and the ones that dont match can be either 0 or 1 ( 1 means any bit)

I hope it helps.

Dan

John Blakley · ‎04-25-2012

Thanks Dan...

In doing these like this, do you always have to and the 2 networks together before doing the mask?

HTH, John *** Please rate all useful posts ***

Dan-Ciprian Cicioiu · ‎04-25-2012

Yes. The reason to add the binary version of the IP hosts together is to compare the bits value.

In your example the 1st and 2nd octet was obvious that matched. That's way we only compared the 3rd and 4th octet.

Let's take another example :

10.1.15.7

10.1.8.5

10.1.10.4

As the privious example the first to octets match so they will be as they are on the network (10.1 ) and the wildcard will be 0.0 - why ? because we want an exact match , remember if you use set a bit 0 on the wildcard the bit on the network must match, if you set the wildcard bit to 1 the network bit can be anything ( 0 or 1 ).

15 + 7 = 0000 1111 + 0000 0111

8 + 5 = 0000 1000 + 0000 0101

10 + 4 = 0000 1010 + 0000 0100

network = 0000 1000 + 0000 0100 = 8 + 4

wildcard = 0000 0111 + 0000 0011 = 7 + 3

Result 10.1.8.4 0.0.7.3

Regards

Dan

John Blakley · ‎04-25-2012

Okay, just so I verify I understand this:

192.168.20.15

192.168.21.30

192.168.23.52

192.168.x.x

20 & 15 = 00010100 . 00001111

21 & 30 = 00010101 . 00011110

23 & 52 = 00010111 . 00110100

00010100 . 00000100

00000011 . 00111011

192.168.20.4 0.0.3.59

Does that look right? The other question that I had is when you do this, does it really guarantee only these 3 hosts will get through? Or, does this type of mask still allow other hosts in (like too large of a summary)?

HTH, John *** Please rate all useful posts ***

Dan-Ciprian Cicioiu · ‎04-25-2012

Yes, you got it right.

To be sincer with you I did not see this kind of acls in production environments, mainly because in the real life there is no restriction to use just one acl line when filtering .

To answer you question, no, will not match only those hosts.

Regards

Dan