Irregular wildcard masks. How do I interpret them?

Params7

Looking for help in deciphering these ACL statements.

permit tcp 172.27.10.0 0.0.81.255 any established
permit tcp 172.27.12.0 0.0.80.255 any established
permit tcp 172.24.112.0 0.0.8.255 any established
permit tcp 172.24.116.0 0.0.0.255 any established

The first two statements are confusing me and I don't get what is trying to be achieved here. What I can imagine is that they want very specific values in the third octect to be allowed.

For example, take the second statement IP address and wildcard mask:
172.27.12.0 0.0.80.255

In bit form, wildcard value of 80 in third octet = 01010000
With corresponding IP address of 12 in the third octet= 00001100

That means only accept sources which, when it comes to the third octet, have 0x0x1100 (x can be 1/0, the wildcard does not care).

Now mathematically, how would you begin to calculate pattern of values that would be accepted by this wildcard? I'm coming to a full headstop with brain fog. Math was never my strong suite

OctalDump

You are so close here.

What do the 'x's stand for? 64 and 16. So it will be values where it is +0 (both zero, 00001100), +16 (0011100), +64 (01001100), or +80 (both 1, 01011100) , in the third octet. So that would be 172.27.12.x, 172.27.28.x, 172.27.76.x, 172.27.92.x

It's annoying, isn't it? I hate these because there is so much effort.

james43026

I'll start by saying that it is not recommended to use discontiguous wildcard masks in any network, they complicate things, and can leave potential security holes, when not done correctly.

The first rule defines the following range: 172.27.10.0 - 172.27.91.255, the range is easily calculated looking at the reference IP address of 172.27.10.0 and the wildcard mask and completing a XOR operation on the third octet, like below.

00001010=network add third octet
01010001=Wildcard mask third octet


01011011=results of logical XOR

The second one is a bit different though. It defines a range of 172.27.12.0 - 172.27.92.255, but the important thing to note, is the fact that when looking at the binary below, the 1 bit can never be turned on, it must remain off, this means that this range doesn't match any odd numbers in the third octet, and any odd numbers for such an ACL entry would pass onto the next statement in the ACL, you can see the math behind that below.

00001100=network add third octet
01010000=Wildcard mask third octet


01011100=results of logical XOR

If we wanted to test 172.27.81.x against this ACL entry, you would do so by taking the logical XOR results, and replacing any bits that are a 1 in the wildcard with an "x" which simply means that you don't care if the bits match, and then simply look for the first discrepancy, for this example, the last bit is the discrepancy, which means that 172.27.81.x isn't a match for this ACL entry.



0x0x1100=the results of our logical XOR above.
00001101=172.27.81.x

GDaines

Wow, this may as well be written in Mandarin Chinese or Martian to me, I'm not understanding a word of it. Please tell me I'm unlikely to see this in CCENT (or even CCNA)?

clarson

About the only they would be used is with ACL's. like they weren't complicated enough. but they are on the ccent and ccna. But, does throwing something like this really test how well you know wildcard masks. maybe it would, but I don't think it would fair on a timed test.

atorven

On the CCENT/CCNA/CCNP level you won't see such wildcard masks, such masks just unnecessary complicate things.

james43026

atorven wrote: »

On the CCENT/CCNA/CCNP level you won't see such wildcard masks, such masks just unnecessary complicate things.

I agree, you aren't likely to see complex wildcard masks like this on the CCNA. In fact my CCNA had an ACL simulation question, that just had me configure a rather simple ACL, to block access to a web server.