Crazy wildcard tricks that they don’t teach you

Hi

ACL wildcards are usually used in their simplest form, e.g.

192.168.0.1 0.0.0.0  means only this address

192.168.0.0 0.0.0.3 means any address from .0 to .3

192.168.0.0 0.0.0.15 means any address from .0 to .15

192.168.200.64 0.0.0.31 means any address from .64 to .95

 

But how should we understand a wildcard 0.0.1.0? or 10.12.16.20?

Let’s say we have the following acl:

deny ip 172.20.0.1 0.6.0.0 any

this means that all bits in the second octet need to match with the exception of bits 6 and 7. Why? bit 6 stands for number 4, bit 7 stands for number 2.

20  in binary is 00010100. Bits that don’t need to match are bits 6 and 7.

00010100

so we could have four possible combinations:

00010000             = 16

00010010          = 18

00010100           = 20

00010110        =  22

 

So now we know that 172.20.0.1 0.6.0.0 would match 172.16.0.1, 172.18.0.1, 172.20.0.1, 172.22.0.1

This could be used to e.g. define odd numbers. An odd number has 1 in the eighth bit, so:

xxxxxxx1  = last bit needs to match, previous don’t need to match

so while normally we define wildcards like: 0.0.0.1, 0.0.0.3, in this example it will be the opposite because it is the last bit that needs to match!

If our task is to define a range from 172.16.0.0 – 172.31.255.255 but only odd numbers, we would have:

172.16.0.1 with the wildcard 0.15.255.254

 

I’ve even found a useful app for this!

http://leighfinch.net/cisco_wiki/index.php/Discontiguous_Wildcard_mask_Calculator

 

 

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Wyloguj /  Zmień )

Zdjęcie na Google

Komentujesz korzystając z konta Google. Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s