In one of my previous tutorials I explained how to calculate wildcard bits for access-lists that you can use to match network and subnet addresses. In this tutorial we will dive a bit deeper into the wildcards and I’ll teach you how to match on some more complex patterns.
Match all even or uneven subnets
We start with something simple, the goal is to match all “even” subnets. This is my list of subnets that I have to play with:
192.168.0.0 /24
192.168.1.0 /24
192.168.2.0 /24
192.168.3.0 /24
192.168.4.0 /24
192.168.5.0 /24
192.168.6.0 /24
192.168.7.0 /24
192.168.8.0 /24
192.168.1.0 /24
192.168.2.0 /24
192.168.3.0 /24
192.168.4.0 /24
192.168.5.0 /24
192.168.6.0 /24
192.168.7.0 /24
192.168.8.0 /24
So how are we going to approach this? What kind of wildcard mask do we need to match all the even subnets. To answer this question we have to look at it in binary:
| 192.168.0.0 | 1100 0000 | 1010 1000 | 0000 0000 | 0000 0000 |
| 192.168.1.0 | 1100 0000 | 1010 1000 | 0000 0001 | 0000 0000 |
| 192.168.2.0 | 1100 0000 | 1010 1000 | 0000 0010 | 0000 0000 |
| 192.168.3.0 | 1100 0000 | 1010 1000 | 0000 0011 | 0000 0000 |
| 192.168.4.0 | 1100 0000 | 1010 1000 | 0000 0100 | 0000 0000 |
| 192.168.5.0 | 1100 0000 | 1010 1000 | 0000 0101 | 0000 0000 |
| 192.168.6.0 | 1100 0000 | 1010 1000 | 0000 0100 | 0000 0000 |
| 192.168.7.0 | 1100 0000 | 1010 1000 | 0000 0101 | 0000 0000 |
| 192.168.8.0 | 1100 0000 | 1010 1000 | 0000 1000 | 0000 0000 |
The first and second octet is the same for all these subnets and we don’t care about the last octet since it’s for hosts. We need to look at the third octet to find a pattern. Let’s take a look at the even subnets:
| 0 | 0000 0000 |
| 2 | 0000 0010 |
| 4 | 0000 0100 |
| 6 | 0000 0110 |
| 8 | 0000 1000 |
| 1 | 0000 0001 |
| 3 | 0000 0011 |
| 5 | 0000 0101 |
| 7 | 0000 0111 |
To create an uneven subnet, the 8th bit is always a 1. This is something we can match with a wildcard. Let’s start with a wildcard that matches all even subnets:
| 192.168.0.0 | 1100 0000 | 1010 1000 | 0000 0000 | 0000 0000 |
| 192.168.2.0 | 1100 0000 | 1010 1000 | 0000 0010 | 0000 0000 |
| 192.168.4.0 | 1100 0000 | 1010 1000 | 0000 0100 | 0000 0000 |
| 192.168.6.0 | 1100 0000 | 1010 1000 | 0000 0110 | 0000 0000 |
| 192.168.8.0 | 1100 0000 | 1010 1000 | 0000 1000 | 0000 0000 |
| wildcard | 0000 0000 | 0000 0000 | 1111 1110 | 1111 1111 |
The first two octets are the same for all the subnets so we use all zeroes for the wildcard mask. In the third octet we use a 1 (don’t care) for all bits except for the 8th bit…it has to match. We don’t care at all about the 4th octet.
The wildcard that we can use will be 0.0.254.255.
Want to see a real life example? Let me show you an example of a router that is configured for EIGRP. This is what the routing table looks like, you see all the networks that I used in the example above:
R2#show ip route eigrp
D 192.168.8.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D 192.168.4.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D 192.168.5.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0
D 192.168.6.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D 192.168.7.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0
D 192.168.0.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D 192.168.1.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0
D 192.168.2.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D 192.168.3.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0
Now we will make an access-list that uses the wildcard mask that we just found. I use 192.168.0.0 as the network address so it matches all subnets in the 192.168.x.x range.
R2(config)#ip access-list standard EVEN
R2(config-std-nacl)#permit 192.168.0.0 0.0.254.255
I can use a distribute-list and refer to the access-list to filter incoming routing updates:
R2(config)#router eigrp 10
R2(config-router)#distribute-list EVEN in
After applying the distribute-list the routing table looks like this:
R2#show ip route eigrp
D 192.168.8.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D 192.168.4.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D 192.168.6.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D 192.168.0.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D 192.168.2.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
Voila! Only the even subnets are here.
We can also use the same wildcard but apply it the other way around so it matches all the uneven subnets:
| 192.168.1.0 | 1100 0000 | 1010 1000 | 0000 0001 | 0000 0000 |
| 192.168.3.0 | 1100 0000 | 1010 1000 | 0000 0011 | 0000 0000 |
| 192.168.5.0 | 1100 0000 | 1010 1000 | 0000 0101 | 0000 0000 |
| 192.168.7.0 | 1100 0000 | 1010 1000 | 0000 0111 | 0000 0000 |
| wildcard | 0000 0000 | 0000 0000 | 1111 1110 | 1111 1111 |
We use the exact same wildcard mask but we will use another subnet address in the access-list (192.168.1.0):
| 192.168.1.0 | 1100 0000 | 1010 1000 | 0000 0001 | 0000 0000 |
| wildcard | 0000 0000 | 0000 0000 | 1111 1110 | 1111 1111 |
When we use this subnet as the network address then the 8th bit of the 3rd octet has to be a 1. This is what the access-list will look like:
R2(config)#ip access-list standard UNEVEN
R2(config-std-nacl)#deny 192.168.1.0 0.0.254.255
R2(config-std-nacl)#permit any
We deny all the uneven subnets and permit everything else. Let’s apply it so you can see it in action:
R2(config)#router eigrp 10
R2(config-router)#no distribute-list EVEN in
R2(config-router)#distribute-list UNEVEN in
The results will be the same:
R2#show ip route eigrp
D 192.168.8.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D 192.168.4.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D 192.168.6.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D 192.168.0.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D 192.168.2.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
Are you following me so far? Let’s try a more complex example!
Matching “random” subnets
This is an example that you might encounter on a test. Let me show you a couple of subnets:
192.168.10.0 /24
192.168.26.0 /24
192.168.42.0 /24
192.168.58.0 /24
192.168.26.0 /24
192.168.42.0 /24
192.168.58.0 /24
These subnets look random to us but on a binary level they have something in common. To see this, we need to dive into the binary world:
| 192.168.10.0 | 1100 0000 | 1010 1000 | 0000 1010 | 0000 0000 |
| 192.168.26.0 | 1100 0000 | 1010 1000 | 0001 1010 | 0000 0000 |
| 192.168.42.0 | 1100 0000 | 1010 1000 | 0010 1010 | 0000 0000 |
| 192.168.58.0 | 1100 0000 | 1010 1000 | 0011 1010 | 0000 0000 |
The first, second and fourth octet are all the same so let’s zoom in on the third octet and see if we can find a pattern:
| 10 | 0000 1010 |
| 26 | 0001 1010 |
| 42 | 0010 1010 |
| 58 | 0011 1010 |
These four numbers have something in common. Only the 3th and 4th bit are different and we can use this to create a matching wildcard:
| 48 | 0011 0000 |
When we use this wildcard we will make sure that all bits have to match except for the 3rd and 4th bit. Let’s configure this in an access-list so you can see that it works. I have advertised the subnets above so my routing table looks like this now:
R2#show ip route eigrp
D 192.168.42.0/24 [90/409600] via 10.10.10.1, 00:00:11, FastEthernet0/0
D 192.168.8.0/24 [90/409600] via 10.10.10.1, 00:10:34, FastEthernet0/0
D 192.168.58.0/24 [90/409600] via 10.10.10.1, 00:00:05, FastEthernet0/0
D 192.168.10.0/24 [90/409600] via 10.10.10.1, 00:00:20, FastEthernet0/0
D 192.168.26.0/24 [90/409600] via 10.10.10.1, 00:00:16, FastEthernet0/0
D 192.168.4.0/24 [90/409600] via 10.10.10.1, 00:10:34, FastEthernet0/0
D 192.168.5.0/24 [90/409600] via 10.10.10.1, 00:00:31, FastEthernet0/0
D 192.168.6.0/24 [90/409600] via 10.10.10.1, 00:10:34, FastEthernet0/0
D 192.168.7.0/24 [90/409600] via 10.10.10.1, 00:00:31, FastEthernet0/0
D 192.168.0.0/24 [90/409600] via 10.10.10.1, 00:10:34, FastEthernet0/0
D 192.168.1.0/24 [90/409600] via 10.10.10.1, 00:00:31, FastEthernet0/0
D 192.168.2.0/24 [90/409600] via 10.10.10.1, 00:10:34, FastEthernet0/0
D 192.168.3.0/24 [90/409600] via 10.10.10.1, 00:00:31, FastEthernet0/0
Let’s create the access-list and apply it with a distribute-list:
R2(config)#ip access-list standard NOT_SO_RANDOM
R2(config-std-nacl)#permit 192.168.10.0 0.0.48.255
R2(config)#router eigrp 10
R2(config-router)#distribute-list NOT_SO_RANDOM in
After applying the distribute-list, this is what the routing table looks like:
R2#show ip route eigrp
D 192.168.42.0/24 [90/409600] via 10.10.10.1, 00:02:30, FastEthernet0/0
D 192.168.58.0/24 [90/409600] via 10.10.10.1, 00:02:25, FastEthernet0/0
D 192.168.10.0/24 [90/409600] via 10.10.10.1, 00:02:39, FastEthernet0/0
D 192.168.26.0/24 [90/409600] via 10.10.10.1, 00:02:35, FastEthernet0/0
There we go, we only have the 4 subnets left that we wanted!
I hope these examples have been useful to you…if you have any other questions feel free to leave a comment!
No comments:
Post a Comment