>> Let's take a look at what a standard ACL looks like.
First, the keyword access dash list followed by a number.
Standard ACLs are uniquely identified by a number in the 1 to 99 range.
Then comes either the word permit or deny based on what you're trying to do with the packet.
Following that is the source IP address
which as we mentioned earlier could be a device's 32-bit IPV for address,
a major classable network designation, or a specific subnet.
The last parameter in a standard ACL is something called a wildcard mask
and that there's explained.
First off, wildcard mask sounds like a lot subnet mask.
Like a subnet mask the wildcard mask is a 32-bit value written in dotted decimal notation
but that's where the similarities end.
The purpose of a subnet mask is to identify which bits in an IP address
or network bits and which bits are host bits.
The purpose of a wildcard mask is to tell the stateless packet filter
which bits to check in an ACL statement.
Let's start off simple using the following IP address
and wildcard mask combination, 129.21.00, 00.255.255.
A 0 bit in the wildcard mask tells the router to check the corresponding bit in the IP address.
A 1 bit in the wildcard mask tells the router to ignore the corresponding bit in the IP address.
So in this IP address, wildcard mask combination of 129.21.00,
00.255.255 tells us the router implementing the ACL
if the first 16 bits follow the above pattern, it's a match.
And I don't care about the last 16 bits.
So any packet with a source IP address of 129.21 will match this ACL instruction
which could either be a permit or deny statement.
If it's a permit statement, packets
with the source IP address starting off with 129.21 will be led through.
If it's a deny statement, packets with a source IP address starting
with 129.21 will be filtered, denied, dropped.
What about this one?
129.21.10, 000.255.
Now the first 24 bits of the source IP address have to match for this ACL statement to match.
This is one of the many subnets used at RIT made
from the original classable network of 129.21.00/16.
To permit or deny a specific host, the wildcard mask will have all 0s as seen here.
A wildcard mask of all 0s means check all 32 bits in the IP address.
They must match for the statement to match.
Wildcard Masks Part Two
>> Unlike a subnet mask which always has a string of 1s at the beginning followed
by a string of 0s at the end, a wildcard mask can follow any pattern of 1s and 0s.
Consider this example.
What do you think this IP address wildcard mask combination does?
The first 0 in the wildcard mask means the first octet
of the source IP address in the packet must match 129.
The second 0 in the wildcard mask means that the second octet
of the source IP address in the packet must match 21.
The 255 at the end of the wildcard mask means
that the last octet can be anything, we don't care about it.
It's not checked.
The 254 in the wildcard mask's third octet is represented
in binary by seven 1s followed by one 0.
The seven 1s mean don't check those corresponding bits in the IP address.
The 0 on the far right bit of the octet
which is the one's column means check the corresponding bit in the IP address.
Since there is a 1 in the IP address position, that means an order for a packet
to match the statement, the third octet has to have a 1 in the one's column.
We don't care about the other 7 bits in the third octet.
What this IP address wildcard mask combination does is match all odd numbered subnets at RIT.
The only way to make an odd numbered binary is putting a 1 in the one's column.
The strategy for something like this is simple.
The less lines an ACL has, the more efficient inbound and outbound traffic will be.
Let's say we want to deny student traffic from entering faculty networks.
Let's also say that student traffic can originate from multiple subnets.
Instead of configuring statements to deny traffic from each and every one
of those networks, we can design the network infrastructure
so that student networks have an odd number in the third octet.
And we can write one simple ACL instruction which will deny all packets
that have an odd number in the third octet.
Another difference between subnet masks and wildcard masks, you might have noticed,
is that subnet masks use the digit 1 as the important bit corresponding
with a network bit in the IP address.
Wildcard masks, on the other hand, use a 0 as the important bit
which means check the corresponding bit in the IP address.
We call the 1s in a wildcard mask the don't care bits because the corresponding bits
in the IP address are simply ignored.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
