Access Control Lists - Wildcard Masks

Quy lut to ra WC Masks

32 bit ca WCM ch ch!a " #$ % #&i 'uy (&c)
a % l$ b* 'ua+
b " l$ ki, tra+
%+ TO MATCH A HOST
Cho tt c cc bit l 0.
-&i Standard Access-list
Access-list % .er,it %/0+%12+02+%2 0.0.0.0
ho3c
Access-list % .er,it %/0+%12+02+%2 4standard access lists s5 th6a nhn
nh( "+"+"+" ,ask7
Vi Extended Access-lists
Access-list %"% .er,it i. %/0+%12+02+%2 0.0.0.0 any
ho3c
Access-list %"% .er,it i. host %/0+%12+02+%2 any
2+ MATCH AN ENTIRE SUNET
Wildcard mask = 255.255.255.255 the subnet mask
Vd 1
8i#en 12+01+/0+" subnet ,ask 222+222+222+"
222+222+222+222 - subnet ,ask 222+222+222+" 9 Wildcard ,ask
"+"+"+222
Access-list % .er,it 12+01+/0+" "+"+"+222
:;uy<n ,n; 12+01+/0+"
Vd 2
8i#en 2"2+22+00+== subnet ,ask 222+222+222+21"
222+222+222+222 - subnet ,ask 222+222+222+21" 9 Wildcard ,ask
"+"+"+%2
>?y i. ch@u tAc Bn;) 2"2+22+00+=0 C 2"2+22+00+%%%
Access-list % .er,it 2"2+22+00+== "+"+"+%2
Vd 3
8i#en 22+00+DD+" subnet ,ask 222+222+221+"
222+222+222+222 - subnet ,ask 222+222+221+" 9 Wildcard ,ask
"+"+3%+222
Access-list % .er,it 22+00+DD+" "+"+3%+222
>?y i. ch@u tAc Bn;) 22+00+01+" C 22+00+=2+222
1
Vd4
8i#en 2%%+=2+32+%2/ subnet ,ask
222+222+222+21/
222+222+222+222 - subnet ,ask
222+222+222+21/ 9 Wildcard ,ask "+"+"+D
Access-list % .er,it 2%%+=2+32+%2/ "+"+"+D
>?y i. ch@u tAc Bn;) 2%%+=2+32+%2/ C
2%%+=2+32+%32
2
3+ MATCH A RAN!E (Thng qua mt range IP c th)
E tF, WCM ta lGy HI cao nhGt tr6 HI thG. nhGt ca ran;e)
Vd 1
Match the ran;e Jro, %32+13+1/+D to %32+13+03+222
%32+13+03+222 - %32+13+1/+" 9 Wildcard ,ask "+"+%2+222
Access-list % .er,it %32+13+1/+" "+"+%2+222
3
Vd 2
Match the ran;e Jro, %32+13+%0+32 to %32+13+3%+03
%32+13+3%+03 - %32+13+%0+32 9 Wildcard ,ask "+"+%2+3%
Access-list % .er,it %32+13+%0+" "+"+%2+222

1+ MATCH EVER"ONE
Access-list % .er,it an#
or
Access-list % .er,it "+"+"+" $%%.$%%.$%%.$%%
!i t"# $
1% &i't m(t )C*s cm tt c cc i# ch+n c,a m-n. 1/2.101.1.022 kh3n. 456c tru7 c"#
htt#.
2% WC8 $ 0.0.0.0 255.255.255.0 c9 n.h:a .; <
5
1. Wildcard mask match 1 host
&d$ =>nh ?ildcard mask match host 1/2.101.1.1
=heo n.u7@n tAc$ bit 0 kiBm tra bit 1 bC Dua
EF GHa chI JK$ 1/2.101.1.1 0.0.0.0 hoLc tM kh9a NhostO
2. Wildcard mask match tt c 4Ha chI JK
&d$ =>nh ?ildcard mask match tt c 4Ha chI JK
=heo n.u7@n tAc$ bit 0 kiBm tra bit 1 bC Dua
EF GHa chI JK$ 1/2.101.1.1 255.255.255.255 hoLc tM kh9a Nan7O
3. Wildcard mask match 1 subnet
&d$ =>nh ?ildcard mask match subnet 1/2.101.1.022
Cch t>nh$ *7 255.255.255.255 trM 4i subnet mask c,a subnet
EF GHa chI JK$ 1/2.101.1.1 0.0.0.255
. =>nh Wildcard mask match ran.e 4Ha chI JK li@n tPc
&d$ =>nh ?ildcard mask match ran.e tM 1/2.101.2.0 4'n 1/2.101..255
Cch t>nh$ *7 4Ha chI cuQi trM 4Ha chI 4Ru
EF GHa chI JK$ 1/2.101.2.0 0.0.2.255
5. =>nh ?idcard mask match 1 sQ JK add 4Ru ti@n
&d$ Cho 4Ha chI JK 1/2.101.1.0S t>nh ?ildcard mask match T host 4Ru ti@n
EF Ui 4Ha chI cRn match$ 1/2.101.1.0 E F 1/2.101.1.T
EF ?ildcard mask$ 0.0.0.T Vl7 4Ha chI cuQi trM 4Ha chI 4Ru%
EF GHa chI JK$ 1/2.101.1.0 0.0.0.T
0. =>nh ?ildcard mask c,a nWa tr@n Vu##er halX% hoLc nWa d5Yi Vlo?er halX% 1 di m-n.$
&d$ Cho 4Ha chI JK 1/2.101.1.0S t>nh ?ildcard mask match nWa di JK #h>a tr@n Z d5Yi$
EF Ui 4Ha chI nWa tr@n$ 1/2.101.1.0 E F 1/2.101.1.12[
EF ?ildcard mask$ 0.0.0.12[ Vl7 4Ha chI cuQi trM 4Ha chI 4Ru%
EF GHa chI JK$ 1/2.101.1.0 0.0.0.12[
EF Ui 4Ha chI nWa d5Yi$ 1/2.101.1.121 E F 1/2.101.1.255
EF ?ildcard mask$ 0.0.0.12[ Vl7 4Ha chI cuQi trM 4Ha chI 4Ru%
EF GHa chI JK$ 1/2.101.1.121 0.0.0.12[
[. =>nh ?ildcard mask match JK l\S hoLc JK ch+n
1 4Ha chI J# l\ 2 ch]n l 4Ha chI c9 octet cuQi c^n. d-n. th"# #h_n l sQ l\ 2 ch]n
&d$ JK l\ E 1/2.101.1.1
JK ch+n 1/2.101.1.2
`h"n abt$ bit cuQi c^n. c,a JK l\ lu3n l bit 1S bit cuQi c^n. c,a JK ch+n lu3n l bit 0.
&"7 ?ildcard mask thCa mcn #hi t-o ra m(t di 4Ha chI JK c9 bit cuQi c,a octet cuQi
kh3n. 4di ben. 0 hoLc 1.
fii #h#$ 4B router lu3n match bit cuQi c,a octet cuQi c,a 4Ha chI JKS bit t5gn. hn. tr@n
?ildcard mask #hi l bit 0
EF &d1$ Cho 4Ha chI JK$ 1/2.101.1.0S t>nh ?ildcard mask match tt c JK ch+n$
0
EF ?ildcard mask$ 0.0.0.25 Vd-n. nhH #h_n$ 00000000.00000000.00000000.11111110%
EF GHa chI JK$ 1/2.101.1.0 0.0.0.25 VJK ch+n c9 bit cuQi lu3n ben. 0%
EF &d2$ Cho 4Ha chI JK$ 1/2.101.1.0S t>nh ?ildcard mask match tt c JK l\
EF ?ildcard mask$ 0.0.0.25 Vd-n. nhH #h_n$ 00000000.00000000.00000000.11111110%
EF GHa chI JK$ 1/2.101.1.1 0.0.0.25 VJK l\ c9 bit cuQi lu3n ben. 1%
1. =>nh ?ildcard mask match 1 ran.e JK address kh3n. li@n tPc
G_7 l d-n. ton t>nh ?ildcard mask #hhc t-# nht Z; kh3n. c9 cch no sW dPn. 1
?ildcard mask 4B t-o thnh 4Ha chI JK match tt c di JK ban 4Ru$
&d$ =>nh ?ildcard mask match di$ 1/2.101.1.15 E F 1/2.101.1.[5
`h"n abt$ G_7 l m(t di JK kh3n. li@n tPc S kh3n. c9 1 ?ildcard mask no c9 thB thCa
mcn di kh3n. li@n tPc. =u7 nhi@n 4Qi ZYi nhin. di JK li@n tPc th; lu3n c9 ?ildcard
mask thCa mcn.
fii #h#$ Chia di JK ban 4Ru thnh nhin. di nhC m tron. 49 lu3n t;m 456c 1
?ildcard mask thCa mcn mji di. &"7 cch chia nh5 th' no< `hAc l-i$ mji bit tron.
octet #hRn host 4-i dikn cho m(t nh9m cc host .li l m(t block sime. !it cuQi c^n. l
block sime 1 Z; n9 thB hikn 1 hostS t5gn. tn bit 4Ru ti@n l block sime 121. &S mji block
sime lu3n t;m 456c 1 ?ildcard mask thCa mcn.
Chia di thnh cc block sime$
E 1/2.101.1.15 V1%
E 1/2.101.1.10 E F 1/2.101.1.31 V2%
E 1/2.101.1.32 E F 1/2.101.1.03 V3%
E 1/2.101.1.0 EF 1/2.101.[5 V%
=>nh ?ildcard mask cho mji block sime$
E V1%$ 1/2.101.1.15 0.0.0.0 E F JK host
E V2%$ 1/2.101.1.10 0.0.0.15
E V3%$ 1/2.101.1.32 0.0.0.31
E V%$ Ch5a c9 ?ildcard mask #h^ h6#S ta #h_n t>ch d-n. nhH #h_n octet cuQi 4B tch ti'#
?ildcard mask$
.0$ 01000000
.[5$ 01001011
EF =a tch thnh$ 01000000 EF 01000111 V5%
01001000 EF 01001011 V0%
EF V5%$ 1/2.101.1.0 0.0.0.[
V0%$ 1/2.101.1.[2 0.0.0.3
=dn. k't$ `h5 Z"7S tM di JK ban 4RuS ta tch thnh 0 di nhC V1%V2%V3%V%V5%V0%.
[
!i t"# )ccess control list V)C*%
EEEEEEEEEE
1. Uesi.n an JK access list that #ermits
traXXic Xrom host 1/3.5.2.[0S but denies all
other JK traXXic.
1
2. Uesi.n an JK access list that
denies traXXic Xrom host
11.5.25.23/S but #ermits all other
JK traXXic.
/
3. Uesi.n an JK access list that
#ermits JK traXXic Xrom hosts on
net?ork 1/0.25.1.022S and denies
other JK traXXic.
10
. Uesi.n an access list that denies
JK traXXic Xrom hosts 152.5.35.13
and 10.2.0.33S #ermits JK traXXic
Xrom all hosts on net?ork
115.25.0.0210S and denies all other
JK traXXic. JnZoke 7our access list
inbound on interXace o2.
11
5. fiZen the statements$
1 interXace ethernet 1
2 i# accessE.rou# 25 in
3 accessElist 25 #ermit host 101.2.3.0
accessElist 25 den7 203.5.0.0
0.0.255.255
5 accessElist 25 #ermit an7
What ?ill the result be<
12
0. Uesi.n an access list
that #ermits JK traXXic
Xrom hosts 1.2.3./1 and
1.2.3.//S and denies all
other JK traXXic.
13
[. Uesi.n an eatended JK
access list that denies p==K
traXXic intended Xor the ?eb
serZer at [.23.0[.102S #ermits
p==K traXXic to other ?eb
serZersS and denies all other JK
traXXic.
1
1. fiZen the statements$
interXace ethernet 0
i# accessE.rou# /5 in
accessElist /5 den7 host 101.202.3.
accessElist /5 den7 203.5.0.0
0.0.0.255
accessElist /5 #ermit an7
What ?ill the result be<
15
/. Uesi.n an JK access list that
#ermits =q=K traXXic to =q=K
serZers that haZe host addresses
endin. in eZen numbersS denies
=o*`o= traXXic to =o*`o= serZers
that haZe host addresses endin. in
odd numbersS #ermits traXXic to other
=o*`o= serZersS and denies all
other JK traXXic. )ctiZate 7our list
inbound on interXace o1.
10
10. Uesi.n an eatended access list that #ermits all JK traXXic Xrom hosts on net?ork
215.23.5.022S denies all JK traXXic .oin. to subnet 52.5.0.0210S #ermits an7one to o#en
a =elnet session ?ith either 1.03.[3.00 and 221.03.02.11S and denies all other JK traXXic.
11. fiZen the statements$
interXace serial 0
i# accessE.rou# 10 out
accessElist 10 den7 tc# 1.3.0.23 0.0.0.0 host 0.5..1 eD 23
accessElist 10 den7 ud# an7 an7 eD tXt#
accessElist 10 #ermit i# an7 an7
What ?ill the result be<
12. Uesi.n an access list that #ermits ?eb traXXic Xrom the serZer at 101.5.32.2 to all
hosts on subnet 1/.23.1.022S #ermits #in.s in either direction bet?een the hosts on
net?ork 3/.0.0.021 and subnet 1/[.2.5./022[S and denies eZer7thin. else. Klace this
access list in Xorce in the outbound direction on the routerrs o2 #ort.
13. fiZen the statements$
interXace Xddi 322
i# accessE.rou# 00
accessElist 00 #ermit 100.200.0.0 0.0.255.03
What ?ill the result be<
1. Uesi.n an access list that #ermits all JK traXXic eace#t #in.s in either direction
bet?een subnets 10.20.0.0210 and 0.50.00.022.
15. fiZen the statements$
interXace tokenErin. [
i# accessE.rou# 13 in
i# accessE.rou# 11 out
accessElist 13 #ermit host 201.3..2
accessElist 13 den7 203.5.0.0 0.0.255.255
accessElist 13 den7 1.[.22.20 0.0.0.[
accessElist 13 #ermit an7
accessElist 11 #ermit i# an7 host 101.202.3. lo.
accessElist 11 #ermit tc# 203.5.0.0 0.0.0.255 an7 eD ???
accessElist 11 #ermit ud# an7 an7
What ?ill the result be<
10. Uesi.n an access list that #ermits all JK traXXic Xrom the hosts on net?orks
1[
222.111.3.022 throu.h 222.111.[.022S and denies all other JK traXXic.
1[. fiZen the statements$
interXace s1
i# accessE.rou# 23 in
accessElist 23 den7 host 201.3..2
accessElist 23 den7 1.[.22.21 0.0.0.[
accessElist 23 den7 153.5.0.0 0.0.255.255
accessElist 23 den7 203.5.0.0 0.0.0.255
What ?ill the result be<
11. Uesi.n an access list that denies all q=K traXXic Xrom the hosts on subnets
101.202.1.022 throu.h 101.202.1322 that is destined Xor q=K serZersS but #ermits all
other JK traXXic.
1/. fiZen the statements$
interXace ethernet
i# accessE.rou# 1//
accessElist 1// #ermit i# an7 an7
accessElist 1// den7 i# 100.5.0.0 0.0.255.255 an7
accessElist 1// den7 tc# an7 .[.12.22 0.0.0.15 eD Xt#
accessElist 1// den7 ud# 23.15.0.0 0.0.0.255 host 1.2.3. eD ri#
What ?ill the result be<
20. Uesi.n an access list that #ermits all JK traXXic Xrom the hosts on subnets 10.0.0.0210
throu.h 10.[.0.0210S #ermits JK traXXic Xrom the hosts on subnets 10./.0.0210 throu.h
10.15.0.0210S and denies all other JK traXXic. Klace it outbound on o0 and inbound on s1.
21. =he Xollo?in. statements are eaecuted in the order .iZen$
accessElist 1 den7 an7
accessElist 1 #ermit an7
no accessElist 1 den7 an7
accessElist 2 den7 1.2.3.
accessElist 2 #ermit an7
interXace serial 3
i# accessE.rou# 2 in
i# accessE.rou# 1 in
What is the result<
22. fiZen the statements$
11
interXace ethernet 1
i# accessE.rou# 00 in
i# accessE.rou# 101 in
accessElist 00 den7 host 1.3.5.[ 0.0.0.0
accessElist 00 den7 10.0.0.0 0.0.0.0
accessElist 00 den7 5.[1.3.2 255.255.255.255
accessElist 00 den7 i# host 101.2.5.[ eD telnet
accessElist 101 #ermit i# 205.0.23.0 3.0[.22.3
accessElist 101 #ermit i#a a0b1c2 E1
accessElist 101 den7 telnet
accessElist 101 #ermit i# host 225.0.0.5 an7
accessElist 101 den7 i# an7 an7
po? man7 errors can 7ou Xind<
1/