Wildcards
Wildcards are
used with access lists to specify a host, network, or part of a network.
To understand wildcards, you need to understand block sizes. Block
sizes are used to
specify a range of addresses. The following list shows some of the different
block sizes available. When you need to specify a range of addresses, you
choose the closest block size for your needs. For example, if you
need to specify 34 networks, you need a block size of 64. If you want to
specify 18 hosts, you need a block size of 32. If you only specify two networks, then a
block size of 4 would work. Wildcards are used with the host or network address to
tell the router a range of available addresses to filter.
Whenever a zero is present, it means
that octet in the address must match exactly.
Block
Sizes can be: 4, 8,
16, 32, or 64 What if you want to specify only a small
range of subnets? This is
where the block sizes come in. You can specify the range of values in a
block size. For
example, the range could
either have to be 16 or 32, but not 20. Let’s say that you want to block access
to part of network that is in the range from 172.16.8.0 through 172.16.15.0.
That is a block size of 8. Your network number would be 172.16.8.0, and the
wildcard would be 0.0.7.255. The 7.255 is what
the router uses to determine the block size. The network and wildcard tell the
router to start at 172.16.8.0 and go up a block size of eight addresses to
network 172.16.15.0. All you have to
do is remember that the wildcard is always one number less than the block size.
So, in our example, the wild-card would be 7 since our block size is 8. If you
used a block size of 16, the wildcard would be 15. We’ll go
through some examples to help you really understand it. The following example tells the router to
match the first three octets exactly but that the fourth octet can be anything. RouterA(config)#access-list 10 deny
172.16.10.0 0.0.0.255
The next example tells the router to match
the first two octets and that the last two octets can be any value. RouterA(config)#access-list 10 deny
172.16.0.0 0.0.255.255
Try to figure out this next line: RouterA(config)#access-list 10 deny
172.16.16.0 0.0.3.255
The above configuration tells the router to
start at network 172.16.16.0 and use a block size of 4. The range would then be
172.16.16.0 through 172.16.19.0. The example below shows an access list
starting at 172.16.16.0 and going up a block size of 8 to 172.16.23.0. RouterA(config)#access-list 10 deny
172.16.16.0 0.0.7.255
The next example starts at network
172.16.32.0 and goes up a block size of 32 to 172.16.63.0. RouterA(config)#access-list 10 deny
172.16.32.0 0.0.31.255
The last example starts at network
172.16.64.0 and goes up a block size of 64 to 172.16.127.0. RouterA(config)#access-list 10 deny
172.16.64.0 0.0.63.255
Here are two more things to keep in mind
when working with block sizes and wildcards: Each block size must start at 0. For example,
you can’t say that you want a block size of 8 and start at 12. You must use
0–7, 8–15, 16–23, etc. For a block size of 32, the ranges are 0–31, 32–63,
64–95, etc. 0.0.0.0 255.255.255.255. Controlling VTY (Telnet) Access You will have a difficult time trying to stop users from
telnetting into a router because any active port on a
router is fair game for VTY access. How-ever, you can use a standard IP access
list to control access by placing the access list on the VTY lines themselves. To perform this function: 1. Create a
standard IP access list that permits only the host or hosts you want to be able
to telnet into the routers. 2. Apply the
access list to the VTY line with the access-class command. Here is an example of allowing only host 172.16.10.3 to
telnet into a router: RouterA(config)#access-list
50 permit 172.16.10.3 RouterA(config)#line
vty 0 4 RouterA(config-line)#access-class
50 in Because of the implied deny any at the end of the list,
the access list stops any host from telneting into
the router except the host 172.16.10.3.
|