Discussion in 'OT Technology' started by Kewlb, Aug 23, 2007.

1. ### KewlbActive Member

Joined:
Nov 21, 2002
Messages:
1,510
0

The way wildcard masks actually work is fairly simplistic. You compare an IP address to a wildcard mask to figure out the ip in question matches. A ‘0’ in a bit field position means the bit must be ‘on’ or match and a ‘1’ in a bit field position means we do not care if that particular bit is on or off.

Example #1 (Simplistic):
If want a wildcard mask to match only the host 192.168.15.10 the wildcard mask would be 0.0.0.0. Why might you ask? Well to get the answer of why we will break things down into their binary form.

11000000.10101000.00001111.00001010
00000000.00000000.00000000.00000000

If a 0 = match exactly and a 1 = we don’t care if this bit is on or off then the above can result in ONLY a match for 192.168.15.10. Let’s say we now want to match all hosts in the 192.168.15.0 network (0-255) then the wildcard mask would be 0.0.0.255

11000000.10101000.00001111.00001010
00000000.00000000.00000000.11111111

If a 0 = match exactly and a 1 = we don’t care then the above will match 192.168.15.0 – 192.168.15.255. Now, let us get just a tad bit more complicated with things. Please note that in the above example we are still matching against 192.168.15.10 – if we entered this in the form of an ACL into a Cisco router then the router would automatically change the address matched against the wildcard to 192.168.10.0.

What if we want to match only 192.168.15.10 and 192.168.15.11? If we break both IP addresses down into binary form we would see the following:

11000000.10101000.00001111.00001010 = 192.168.15.10
11000000.10101000.00001111.00001011 = 192.168.15.11

We can tell that there is only 1 bit of difference in these IP addresses, the very last bit in the last octet. Given this information we can deduct that if we match a wildcard against the IP 192.168.15.10 that we should care about every single bit but the last bit.

11000000.10101000.00001111.00001010
00000000.00000000.00000000.00000001

The above wildcard (0.0.0.1) results in a match for ONLY the IP addresses 192.168.15.10 and 192.168.15.11 since the only bit we do not care about is the last bit which is the ‘1’ position bit.

Example #2 (Semi-Simplistic):
I am going to use an example that you see quite a lot in different Cisco training books. Let’s say you want to block all odd numbered hosts on the 192.168.15.0 network. We will start by getting the binary form of some of the hosts on the network

11000000.10101000.00001111.00000000 = 192.168.15.0
11000000.10101000.00001111.00000001 = 192.168.15.1
11000000.10101000.00001111.00000010 = 192.168.15.2
11000000.10101000.00001111.00000011 = 192.168.15.3
11000000.10101000.00001111.00000100 = 192.168.15.4
11000000.10101000.00001111.00000101 = 192.168.15.5

You can start to see a repeating pattern in that all odd hosts will have the last bit set to ‘on’ thus if we compare 192.168.15.1 to wildcard mask 0.0.0.254 the result would be a match for every single odd host on the network, but none of the even hosts.

11000000.10101000.00001111.00000001
00000000.00000000.00000000.11111110

Example #3 (Medium ):
Now that you should have the hang of the basics I am going to present a rather complex problem, break it down into binary, and show you exactly how to solve it.

Problem: A customer has various web servers on his/her network that he/she wants to control access to. The customer wants to ensure that only the 10.0.0.0/8 private address range can access the following web servers:128.15.12.8 , 128.15.12.9 , 128.15.12.10 , 128.15.12.11
192.15.12.8 , 192.15.12.9 , 192.15.12.10 , 192.15.12.11
128.31.12.8 , 128.31.12.9 , 128.31.12.10 , 128.31.12.11
192.31.12.8 , 192.31.12.9 , 192.31.12.10 , 192.31.12.11

The customer has stated that he hates messy long access lists and requests that this be done in the smallest number of ACL lines possible. The way I usually approach something like this is take things octet by octet instead of trying to break down every single address all at once. The first thing we notice is that the first octet is either 128 or 192 or 10000000 and 11000000 in binary form. This means that there is only 1 bit of difference between the two so they can be easily matched. We can then move on the 2nd octet which is either 15 or 31 or 00001111 and 00011111 in binary form. There is also only 1 bit of difference between these two IP addresses which means they too can also be matched exactly to those two hosts. The 3rd octet is very simplistic in that they are all .12 which means we can do an exact match on this octet. The final octet has 4 hosts and is a bit tricky so let’s break it down into binary real quick:

00001000 = 8
00001001 = 9
00001010 = 10
00001011 = 11

Taking a look at this we can tell that the first 6 bits all match exactly; however the final 2 bits are different in each address. We are in luck though as we actually use all 4 combinations of this bit range which means we can ignore these final two bits since they can only equal 8,9,10,11 (00, 01, 10, 11) when combined with the rest of the octet. Given the information we have so far we can come up with the following wildcard mask: 64.16.0.3. When we compare 128.15.12.8 with wildcard mask 64.16.0.3 we see that we can only come up with the 16 networks defined above thus the final ACL would be:

Access-list 101 permit 10.0.0.0 0.255.255.255 128.15.12.8 64.16.0.3 eq 80

I hope this quick lesson proved useful to you. If you have any questions or comments simply post them in here.

2. ### deusexaetheraOT Supporter

Joined:
Jan 27, 2005
Messages:
19,696
1
Wow. That's some heavy NA/SA shit right there. All we usually get is "There was spyware in the pron I downloaded, how do I remove it without deleting the pron?"

3. ### KewlbActive Member

Joined:
Nov 21, 2002
Messages:
1,510
0
that is just basic. This is just material for a CCNA class Cisco had me teach for a DoD contractor that was about to redesign/replace their entire network with Cisco equipment.

I taught the class, the company purchased the equipment, and the company I work for still did not win the bid to do the actual install work

I also provide (free usually) mentoring for anyone going for their CCNA/CCNP/ R&S CCIE / Security CCIE

4. ### deusexaetheraOT Supporter

Joined:
Jan 27, 2005
Messages:
19,696
1
Yeah, when a company contracts with you to teach them how to set up their shit so it works right, instead of just teaching them how to use it once it's set up, they're not really looking to pay you to set it up for them.

5. ### KewlbActive Member

Joined:
Nov 21, 2002
Messages:
1,510
0
oh, they still paid a company to do the initial install. I was teaching them to maintain it.

6. ### JablesOT Supporter

Joined:
Jul 27, 2007
Messages:
6
0
This was by far the hardest part of the CCNA for me. Cisco switched it from Semester 3 to Semester 2, so I was stuck learning it from the bridge.

Joined:
Nov 21, 2002
Messages:
1,510