Wildcards Masks

Download Report

Transcript Wildcards Masks

Access Control Lists
and
Wildcard Masks
Cisco Semester 2
Access Lists
• Lists of conditions that control access both
to and from network segments
• Can cause the router to analyze every
packet crossing an interface in the specified
direction and take action accordingly
1- 2
Rules a packet follows when
it’s being compared with an
ACL
• Always compared with each line of the
ACL in sequential order (line 1, 2, 3…)
• Compared only till a match is made
• There is an implicit “deny” at the end of
each ACL
– If a packet does not match up to any lines in the
ACL, it’ll be discarded
1- 3
Standard ACLs
• Use only the source IP address in an IP packet
• Permits or denies an entire suit of protocols
• You create a standard IP ACL by using the access
list numbers 1-99
• Example:
• RouterA(config)# access-list 10 deny host 172.16.30.2
Or
• RouterA(config)# access-list 10 deny 172.16.30.2
1- 4
ACL guidelines
• You can only assign one ACL per interface, per
protocol, or per direction
– (only one inbound ACL and one outbound ACL per interface)
• Organize your access lists so that the more
specific tests are at the top of the access list
• Anytime a new list is added to the ACL, it will be
placed at the bottom of the list
• You cannot remove one line from an ACL.
– If you try it, it will remove the entire list. The only
exception is when using named ACLs
1- 5
ACL guidelines (cont.)
• Unless your ACL ends with a permit any
command, all packets will be discarded if
they do not meet any of the lists’ tests
– Every list should have at least one permit
statement, or you might as well shut the
interface down.
• Create access lists and then apply them to
an interface.
1- 6
ACL guidelines (cont.)
• Access lists are designed to filter traffic
going through the router.
– They will not filter traffic originated from the
router
• Place IP standard access lists as close to the
destination as possible
• Place IP extended access lists as close to the
source as possible
1- 7
Wildcards Masks
• Wildcards are used with the host or network
address to tell the router a range of available
address to filter
– To specify a host – 172.16.30.5 0.0.0.0
(the four zeros represent each octet of the
address).
Whenever a zero is present, it means that octet in
the address must match exactly.
1- 8
Wildcards Masks
• To specify that an octet can be any value,
the value of 255 is used
– 172.16.30.0 0.0.0.255
• This tells the router to match up the first 3 octets
exactly, but the 4th octet can be any value
1- 9
The “Wildcard Mask”
Explained
–The “wildcard mask” has no functional
relationship with the subnet mask.
–However, in many cases the subnet mask can
be used to derive the wildcard mask.
•For example, you want to filter traffic from all hosts
on the 192.168.1.0/24 subnet.
–The subnet mask is 255.255.255.0
–To find the wildcard mask, take the inverse of the subnet
mask.
–The wildcard mask is 0.0.0.255.
1- 10
Example of source-wildcard
• In our example, we use all
“1s” in the last octet of the
wildcard mask for each
source-prefix.
–The subnet mask for each
LAN has all “0s” in the last
octet.
• A “1” means ignore this
bit position in the packet’s
source IP address.
1- 11
The “Wildcard Mask” at the
Bit Level
• The router reads the source IP address of a packet.
–For each bit position, the router checks the wildcard
mask.
•If “0”, the router checks the bit value of the Source IP address
with the bit value of the Source Prefix for a “Match”.
•If “1”, the router ignores that bit position.
1- 12
The Last ACL Statement:
“Deny Any”
• The last statement in
all ACLs is an implied
“deny any”.
• If a packet does not
match any statements
in the ACL, it is
denied.
1- 13
Apply the ACL
• An ACL cannot filter traffic until it has been
applied to an interface.
–This is a security feature of the IOS.
•You can safely write ACL statements without having
the statements take an immediate affect on traffic.
• The command syntax is the same for both
Standard and Extended IP ACLs.
1- 14
Syntax for Applying IP ACLs
router(config-if)#ip access-group {access-listnumber|name} {in|out}
• ACLs are applied to an interface.
• The access-list-number argument refers
to the ACL written in global configuration.
–Use the name argument to apply a named ACL.
• The {in|out} argument specifies what
direction the ACL should be applied.
–Specifying in means “filter inbound packets”.
–Specifying out means “filter outbound packets”.
1- 15
Don’t Forget the ip Part of the
Command!
• A common error
is to forget the
ip portion of the
ip accessgroup
command.
• Remember:
routers are
capable of
routing multiple
routed protocols.
1- 16
Incorrect Placement of a Standard ACL
• Standard ACLs do
not have a destination
argument.
–Therefore, you place
standard ACLs as close to
the destination as possible.
• To see why, ask
yourself what would
happen to all IP
traffic from RTA’s
LAN if the ACL was
applied as shown?
1- 17
Correct Placement of a Standard
ACL
• In our example, we
want to permit all
LANs access to the
Internet.
• Therefore, we will
apply the ACL to
RTA’s E1 interface
and specify “out” as
the direction.
1- 18
Overriding the Implied “Deny Any”
• Remember: The last
statement the router will
apply is a implicit “deny
any”.
• What if you want to write
an ACL meant to deny
specific types of traffic and
permit everything else?
• Example:
–Deny RTB and RTC
LANs access to RTA’s
LAN, but allow all other
1- 19
traffic.
Writing a “permit any” Statement
• First, deny traffic from
the two LANs.
• Second, permit all other
traffic.
–0.0.0.0 means “any
source address”.
–255.255.255.255
means “ignore all bit
positions”.
• Third, apply the ACL to
filter traffic going “out”
E0.
1- 20
Substituting 0.0.0.0 255.255.255.255
• Instead of typing…
– permit 0.0.0.0
255.255.255.255
• Type…
– permit any
1- 21
Filtering Traffic From a
Single Host
• What if a particular user is abusing Internet
privileges?
–How would you deny that host’s IP address, yet
still permit everyone else?
–Remember: A wildcard mask tells the router
what bits to check.
1- 22
Writing a “host” Statement
• Example:
–Deny 192.168.5.65.
–Source prefix is the
source IP address.
–Wildcard mask is “all
0s”, meaning check
every bit position.
• Why is the deny
statement listed first?
1- 23
Substituting the Host Wildcard, 0.0.0.0
• Instead of typing…
–
deny
192.168.5.65
0.0.0.0
• Type…
–
deny
host
192.168.5.65
• Notice the host
keyword comes before
the source prefix.
1- 24
Masking Practice
– Write an ip mask and wildcard mask to check
for all hosts on the network: 192.5.5.0
255.255.255.0
– Answer: 192.5.5.0 0.0.0.255
• Notice that this wildcard mask is a mirror image of
the default subnet mask for a Class C address.
• WARNING: This is a helpful rule only when
looking at whole networks or subnets.
1- 25
Masking Practice
– Write an ip mask and wildcard mask to check for all
hosts in the subnet: 192.5.5.32 255.255.255.224
• ANSWER: 192.5.5.32 0.0.0.31
• 0.0.0.31 is the mirror image of 255.255.255.224
• Let’s look at both in binary:
– 11111111.11111111.11111111.11100000 (255.255.255.224)
– 00000000.00000000.00000000.00011111 (0.0.0.31)
• To prove this wildcard mask will work, let’s look at a host
address within the .32 subnet--192.5.5.55
1- 26
– 11000000.00000101.00000101.00110111 (192.5.5.55) host
address
– 11000000.00000101.00000101.00100000 (192.5.5.32) network
address
– 00000000.00000000.00000000.00011111 (0.0.0.31) wildcard
mask
Masking Practice
– Notice in the previous example (repeated below), some
bits were colored blue. These bits are the bits that must
match.
– 11000000.00000101.00000101.00110111 (192.5.5.55) host address
– 11000000.00000101.00000101.00100000 (192.5.5.32) network “
– 00000000.00000000.00000000.00011111 (0.0.0.31) wildcard mask
• Remember: a “0” bit in the wildcard mask means check the bit; a
“1” bit in the wildcard mask means ignore.
• The “0”s must match between the address of the packet
(192.5.5.55) being filtered and the ip mask configured in the access
list (192.5.5.32)
– Write an ip mask and wildcard mask for the subnet
192.5.5.64 with a subnet mask of 255.255.255.192?
• Answer: 192.5.5.64 0.0.0.63
1- 27
Masking Practice
– Write an ip mask and wildcard mask for the subnet 172.16.128.0
with a subnet mask of 255.255.128.0?
• Answer: 172.16.128.0 0.0.127.255
– Write an ip mask and wildcard mask for the subnet 172.16.16.0
with a subnet mask of 255.255.252.0?
• Answer: 172.16.16.0 0.0.3.255
– Write an ip mask and wildcard mask for the subnet 10.0.8.0 with
a subnet mask of 255.255.248.0?
• Answer: 10.0.8.0 0.0.7.255
– By now, you should have the hang of ip mask and wildcard
masks when dealing with a subnet. If not, go back & review.
1- 28
Wildcards Masks and Ranges
• Used with ACLS to specify a host, network, or
part of a network.
• It’s helpful to understand block sizes
– Used to specify a range of addresses.
• Some block sizes available
–
–
–
–
–
1- 29
4
8
16
32
64
Wildcards Masks and Ranges
• When you need to specify a range of addresses,
you choose the closest block size for your needs.
– if you need to specify 34 networks, you need a
black size of 64
– If you need to specify 18 hosts, you need a
block size of 32
– If you only specify two networks, then you can
use a block size of 5
1- 30
Wildcards Masks and Ranges
• What if you want to specify only a small
range of subnets? - use a block size
• Example: block access to part of a network
from 172.16.8.0 thru. 172.16.15.0
– Use block size of 8 (0.0.7.255)
– Notice that the wildcard is one number less
than the block size.
1- 31
Masking a Host Range
– You’ll need to be able to deny a portion of a
subnet while permitting another.
– To mask a range of host within a subnet, it is
often necessary to work on the binary level.
– For example, students use the range 192.5.5.0
to 192.5.5.127 and teachers use the range
192.5.5.128 to 192.5.5.255. Both groups are on
network 192.5.5.0 255.255.255.0
– How do you write an ip mask and wildcard
mask to deny one group, yet permit another?
1- 32
Masking a Host Range
– Let’s write the masks for the students.
• First, write on the first and last host address in
binary. Since the first 3 octets are identical, we can
skip those. All their bits must be “0”
– First Host’s 4th octet: 00000000
– Last Host’s 4th octet: 01111111
• Second, look for the leading bits that are shared by
both (in blue below)
– 00000000
– 01111111
– These “bits in common” are to be checked just like the
common bits in the 192.5.5 portion of the addresses.
1- 33
Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255
Masking a Host Range
• Third, add up the decimal value of the “1” bits in the last host’s
address (127)
• Finally, determine the ip mask and wildcard mask
– The ip mask can be any host address in the range, but convention
says use the first one
– The wildcard mask is all “0”s for the common bits
– 192.5.5.0 0.0.0.127
– What about the teachers? What would be their ip mask
and wildcard mask?
• 192.5.5.128 (10000000) to 192.5.5.255 (11111111)
• Answer: 192.5.5.128 0.0.0.127
• Notice anything? What stayed the same? changed?
1- 34
Examples: Host Ranges 192.5.5.1 to .127 and .128 to .255
Time Savers:
the any command
– Since ACLs have an implicit “deny any” statement at the end,
you must write statements to permit others through.
– Using our previous example, if the students are denied access
and all others are allowed, you would write two statements:
• Lab-A(config)#access-list 1 deny 192.5.5.0
0.0.0.127
• Lab-A(config)#access-list 1 permit 0.0.0.0
255.255.255.255
– Since the last statement is commonly used to override the “deny
any,” Cisco gives you an option--the any command:
• Lab-A(config)#access-list 1 permit any
1- 35
Time Savers: |
the host command
– Many times, a network administrator will need
to write an ACL to permit a particular host (or
deny a host). The statement can be written in
two ways. Either...
• Lab-A(config)#access-list 1 permit
192.5.5.10 0.0.0.0
– or...
• Lab-A(config)#access-list 1 permit
host 192.5.5.10
1- 36