Subnet masks were also used to clump IP addresses into three distinct classes, each of which provided different-sized blocks of network addresses for organizations to use on their internal networks. Similarly, if a subnet mask shows that 16 bits are used for the network portion of an IP address then the remaining 16 bits can be used as host portion. In this case, 192.168.116.1 – 254 can be used as host addresses. Using the abbreviation any communicates the same test condition to the Cisco IOS ACL Software.For example, the IP address 11000000.10101000.01110100.11010010 (192.168.116.210) when combined with a subnet mask of 11111111. Instead of entering 0.0.0.0 255.255.255.255, you can use the word any by itself as the keyword. Using the abbreviation host communicates the same test condition to the Cisco IOS ACL Software. Figure 6-11 shows the wildcard masks used to match a specific host or to match all (any) host. These abbreviations reduce how many numbers you are required to enter while configuring address test conditions. For the most common uses of wildcard masking, you can use abbreviations. Working with decimal representations of binary wildcard mask bits can be tedious. The 0 and 1 bits in an ACL wildcard mask cause the ACL to either match or ignore the corresponding bit in the IP address. The wildcard mask does not match other subnets. Thus, the wildcard mask matches subnet 16, 17, 18, and so on up to subnet 31. In these positions, the address value can be binary 0 or binary 1. For the final (low-end) 4 bits in this octet, the wildcard mask indicates that the bits can be ignored. In this case, the wildcard mask matches subnets starting with the 172.30.16.0 /24 subnet. In the third octet, where the subnet address occurs, the wildcard mask of decimal 15, or binary 00001111, matches the high-order 4 bits of the IP address. For example, the final octet of the wildcard mask is 255 in decimal. The wildcard mask matches the first two octets (172.30) of the IP address using corresponding 0 bits in the first two octets of the wildcard mask.īecause there is no interest in an individual host, the wildcard mask ignores the final octet by using the corresponding 1 bit in the wildcard mask. To use one ACL statement to match this range of subnets, use the IP address 172.30.16.0 in the ACL, which is the first subnet to be matched, followed by the required wildcard mask. (The third octet is for subnets.) The administrator wants to use the IP wildcard masking bits to match subnets 172.30.16.0/24 to 172.30.31.0/24. Assume that the IP address is a Class B address (the first two octets are the network number), with 8 bits of subnetting. In Figure 6-10, an administrator wants to test a range of IP subnets that is to be permitted or denied. A "1" in a bit position of the ACL mask indicates that the corresponding bit in the address is not interesting and can be ignored. A "0" in a bit position of the ACL mask indicates that the corresponding bit in the address must be matched. NOTE Wildcard masking for ACLs operates differently from an IP subnet mask. Octect Bit Position and 128 64 32 16 8 4 2 1 Address Value for Bitĭo Not Check Address (Ignore Bits in Octet) Figure 6-9 illustrates how to check corresponding address bits. You can select a single IP address or many IP addresses. NOTE A wildcard mask is sometimes referred to as an inverse mask.īy carefully setting wildcard masks, you can permit or deny tests with one ACL statement. ■ Wildcard mask bit 1: Do not check (ignore) the corresponding bit value in the address. ■ Wildcard mask bit 0: Match the corresponding bit value in the address. Wildcard masking for IP address bits uses the numbers 1 and 0 to identify how to treat the corresponding IP address bits, as follows: Address filtering occurs when you use ACL address wildcard masking to identify how to check or ignore corresponding IP address bits.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |