5 Replies Latest reply: Mar 13, 2018 1:19 PM by Jakub RSS

    ACLs and w.c. mask

    Jakub

      Hello everybody in CLN,

       

      I'm not able to wrap my mind around the principle of wildcard mask when it is used in ACL. I got the fact that it is there to specify a range of IP addresses that should be permitted / denied, but in case some not very "clean" ranges the understanding eludes me.


      It seems pretty easy when I should permit whole subnet. I'm using an online videos for studying as well as Official Cert guide by Wendell Odom.

       

      On the video there is this example:

       

      Permit everything from 10.0.0.14 to 10.0.0.99, in order to achieve that the lector uses five rules:

      10.0.0.14   0.0.0.1

      10.0.0.16   0.0.0.15

      10.0.0.32   0.0.0.31

      10.0.0.64   0.0.0.31

      10.0.0.96   0.0.0.3

       

      I thought to myself that it is more than it needs to be - I could do it with something like that:

      10.0.0.14   0.0.0.63

      10.0.0.78   0.0.0.15

      10.0.0.94   0.0.0.3

      10.0.0.98   0.0.0.1

       

      The problem is - when I entered 10.0.0.14 0.0.0.63 (in order to permit range 10.0.0.14 - 10.0.0.77), the rule got corrected to:

      10.0.0.0   0.0.0.63 and the traffic is then permitted for 10.0.0.0 - 10.0.0.63

       

      I played with it quite a bit in the PKT and I don't know why exactly it behaves like that... Also the official cert guide speaks about changing the address by the router, but only if the w.c. mask has 255 in the octet.

       

      Can someone please explain it?

       

      Thanks a lot.

        • 1. Re: ACLs and w.c. mask
          Peter McKenzie

          Hi Jakub

          your lector is making use of the dont care rule when creating ACL

           

          i imagine that you have 5 ACl statements

           

          permit  10.0.0.14 0.0.0.1

          permit  10.0.0.16 0.0.0.15

          permit 10 .0.0.32 0.0.0.31

           

          and so on

           

          you need to go back to binary notation to see what is happening

          in your first ACl statement ip address 10.0.0.14

                                      00001010.0.0.00001110

          with mask 0.0.0.1

                                      00000000.0.0.00000001

          Zero 0 is interpreted in mask as must match so only

                                      00001010.0.0 in first three  octets gets through ACL  (10.0.0

          HOWEVER in last octect we have zeroes and a one. 1 means dont care

          so ACL allows

                                                            00001110

          AND

                                                            00001111

          so the first ACL statement allows IP addresses 10.0.0.14 AND 10.0.0.15

          • 2. Re: ACLs and w.c. mask
            Juergen Ilse CCNA R&S

            For contimous wildcard mask (where all digits behind the first "1" in the binary representation of the wildcard mask are also "1"), you may think of the wildcard mask as a "bitwise inverse of the netmask". For a netmask of 255.255.255.240, the corresponding wildcard mask is 0.0.0.15 (in the netmask, all but the last 4 bits are "1", in the wildcard mask all but the last 4 bits are "0", so every bit, that is "1" in the netmask is "0" in the wildcard mask). For non continues wildcard masks, it seems to be more complicated, but it follows the same principle that Peter already explained: A specification of addresses consisting of an ip address and a wildcard mask will match all ip addresses, that differs only in that bits from the given ip address, that are "1" in the wildcard mask. If you have a wildcard mask of 0,0,48.0, there are only 2 bits with value "1" in the binary representation (which is 00000000.00000000.00011000.00000000): the 4th and 5th bit in the 3rd octett. All ip addresses, that differ from the given ip address only in the 4th and 5th bit of the 3rd octett will be matched by the given ip address and that netmask, all ip addresses that differe in at least one other bit from the given ip address will  not be m,atched.

            If you are sure about what ip addresses belong to a network given by an ip address and a netmask, you may find it less difficult for continues wildcard masks to invert the wildcard mask bit by bit and iterpret the result as netmask.

            • 3. Re: ACLs and w.c. mask
              Jakub

              Hi guys,

               

              thanks a lot for your answers. Actually I got the wc mask, but I didn't get why the router "corrects" it to something different (like when I typed permit 10.0.0.14 0.0.0.63 for ranges 10.0.0.14 - 10.0.0.77. I thought I will see this in the configuration, but instead there was a permit 10.0.0.0 0.0.0.63)

               

              If I got it right from your posts (and a little bit more digging) I'm not able to use a wc mask that would have greater amount of don't care bits than is the presented IP address. For example for:

              10.0.0.14 i'm able to use everything up to 0.0.0.7

              10.0.0.16 it is up to 0.0.0.15

               

              Is it right? It would correspond with the configuration on the router in the PKT:

              ACL_prob.JPG

               

              Basically by issuing a command "permit 10.0.0.14 0.0.0.15", I would tell the router to not care about last 4 bits in the last octet (therefore match everything that is made of these 4 bits) and that is why it changes it in the configuration to "permit 10.0.0.0   0.0.0.15" - because the .14 octet is made of the last 4 bits.

               

              Am I thinking about it correctly?

               

              Thanks a lot.

              • 4. Re: ACLs and w.c. mask
                Juergen Ilse CCNA R&S

                Jakub schrieb:

                 

                thanks a lot for your answers. Actually I got the wc mask, but I didn't get why the router "corrects" it to something different (like when I typed permit 10.0.0.14 0.0.0.63 for ranges 10.0.0.14 - 10.0.0.77. I thought I will see this in the configuration, but instead there was a permit 10.0.0.0 0.0.0.63)

                ... and that is completely correct. Let us see why:

                10.0.0.14 in binary representation is 00001010.00000000.00000000.00001110 while the wildcard mask 0.0.0.63 in binary representation is 00000000.00000000.00000000.00111111. Let's now compare the bits in that values and determine, which ip addresses differ only in those bits, that are "1" in the wildcard mask:

                 

                00001010.00000000.00000000.00001110     (ip address)

                00000000.00000000.00000000.00111111     (wildcard mask)

                 

                As you can see here, the bits, that are "1" in the wirldcard mask are only the last 6 bits in the last octett, so any ip addresses, that differ only from 10.0.0.14 in the last 6 bits will be matched by the combinatiopn of ip address 10.0.0.14 and wildcard mask 0.0.0.63. And that are the ip addresses which start with the 3 oactett values 10.0.0 and have a value between 0 and 63 as last octett (or in other words the subnet 10.0.0.0/26). You have to compare bitwise ip address and wildcard mask to detect the range of ip addresses, that will be matched, and not simply add the number of matched ip addresses to the given ip address and expect, that the addresses between those values will be matched ... The reason, why the router rewrites the ip address in this case from 10.0.0.14 to 10.0.0.0 is, because the router will clear all bit in the ip address that are "1" in the wildcard mask (to get the lowest matching ip address) for readability  (that will not change the matched ip address range, because only bits, that "don't care" will be changed). You can't match the ip range from 10.0.0.14 to 10.0.0.77 with only one wildcard mask, you need several entries to achiev that.

                 

                And yes, you are right with your reason why the router changes the entry "permit 10.0.0.15 0.0.0.15"  to "permit 10.0.0.0 0.0.0.15".

                • 5. Re: ACLs and w.c. mask
                  Jakub

                  Thank you - that's exactly what I got from your posts and today's research.