ACL wildcard Calculation

If you understand the ACL, you cannot solve the problem of wildcard mask and wildcard mask. To put it simply, the wildcard mask means that 0 is an absolute match and must be strictly matched, while 1 is an arbitrary one. In a sense, if an 8-bit has a 1 character, there are only two ways, 0 or 1, but if they are combined, there will be more ways. For example. Www.2cto.com generally matches address blocks in applications. How can this problem be solved? That is to say: 1) match A Class a B Class C network or teach wildcard shielding 2) apply ACL to A subnet. (3) apply ACL4 to a specific host) apply ACL5 to any host or network application. The matching is similar to the above five situations. 1) shield an ACL wildcard for a class network. This is a good explanation. For example: Class A: 10.0.0.0 0.20.255 is first written in binary format: 20171010.20.2.16.00000000.00000000 255.2.16.11111111.1111111.111111. It can be seen that the first byte must be strictly matched, that is, 10. The resulting network is 10. * What if I change this one? 10.0.0.0 0.0.3.255 is also written in binary format: 20171010.20.0000.00000000.00000000.00000000.00000000.00000011.1111111. The first two bytes are strictly matched to 10.0. The same idea is described later. 0 is strictly matched, and 1 is arbitrary. Here, the last 10 bits can be matched at will. We can obtain the appropriate result through calculation: 10.0.0.*10.0.1.*10.0.2.*10.0.3. * The Four subnets (2) apply the ACL to a subnet. The following uses Class C network 192 as an example .. 168.1.0/24 is used as an example to divide subnets. We can better understand the concept of introducing address blocks. Because subnets generally exist in the form of address blocks. The IP address block is 128,192.168 .1.128 0.0.0.127. The IP address block is 64,192.168 .1.0 0.0.0.63. The IP address block is 32,192.168 .1.0 0.0.0.31. The IP address block is 16,192.168 .1.0 0.0.0.15. The IP address block is 8, 192.168.1.0 0.0.0.7, 192.168.1.0 0.0.3, 192.168.1.0 0.0.3, and 192.168.1.0 0.0.0.1 3) apply the ACL wildcard to a specific host. For example, 182.1612.4 0.0.0.0, there is also a representation: host 18.012.4host is a keyword here, which is used to replace 0.0.0.0 and for the source and target address fields. 4) The ACL of any host or network application is a situation where the host is arbitrary and the wildcard character is matched as follows: 0.0.0.0 255.255.255.255. Here is also a special case -- any 5. In my words, this situation is not based on rules, and it is also interesting. I don't want a subnet or a class network to be blocked by wildcards. I just want some hosts to be blocked, but these hosts should also be regular, otherwise, the management personnel must be crazy. Haha. Let's just give two examples: the hacker writes one randomly and calculates which networks are blocked. How can I write a random 192.168.1.23 0.0.0.5? Dummies? This is the case where the cards do not follow the rules. The CCNA self-study guide must have said that it cannot start from a network such as 11.0 or 12.0, and it must be a power of 2. We ignore this rule, or use the most primitive method for one-by-one matching. Written in binary format: 111000000.10101000.00000001.00010111 2017100000000.00000000.00000000.00000101. Then, the matching computation is performed. The first three bytes are undoubtedly strictly matched. The last byte matches with 0, and the last byte matches with 1. 00010111 00000101 00010*1 * as shown in the above formula, we can see that the positions of stars can be any matched, so that we can calculate: ① 00010010--18 ② 00010011--19 ③ 00010110--21 ④ 00010111--23. The result is that 192.168.1.18192.68.1.19192.168.1.21194251.23 is blocked by the 0.0.0.5 wildcard mask. What's wrong, isn't the rule-based wildcard mask also fooled you once? Note: As long as you strictly follow 0-strictly match, 1-any configuration principle, no matter what anti-mask is a paper tiger. I need to match a host with an odd IP address or a host with an even IP address (or an odd network is required in route filtering). For example, 192.168.1.119255.1.2192.168.1.3192.168.1.4192.168.1.5192168.1.6192.168.1.7192.168.1.9 ............... The logic of 192.168.1.254 is the same, and all paths pass through Rome. Here, the path wildcard is omitted when I want to write the first three bytes in binary format. Only the following one byte is written: 00000001000000100000001100000100000001010000011000000111 ............ Do you see the rule? What? No. Check it out! The last bit of an odd IP address is 1, and the last bit of an even IP address is 0. This is the rule. So how to write it? This is relatively simple. For an odd IP Address: 192.168.1.1 0.0.254; for an even IP Address -- 192.168.1.2 0.0.0.254, the above is my understanding of the ACL. If there is something wrong, it is wrong, I also hope you can correct them. The so-called "Three man-in-one" must have our teacher. Do you have any better solutions and don't forget to follow the post. The main difficulty of ACL is the calculation of wildcards. If you have such a question: Obtain the wildcard mask for a known subnet. For example, you can access the vro from the CIDR Block 199.172.5.0/24199.172.10.0/24199.172.20./ 24199.172.14.0/24. Write the ACL, but only two ACLs can be used. 1. replace these four numbers with binary: 5.0 ------- 0 1 0 110.0 ----- 1 0 1 013.0 ----- 1 1 0 114.0 ----- 1 1 1 1 0 observed that 5.0 and 13.010.0 and 14.0 have something in common. 2. Use Z to indicate the 5.0 and 13.0 ---------- Z 1 0 110.0 and 14.0 -------- 1 Z 1 03. Replace Z with 1 and the number with 0. We can conclude that 5.0 and 13.0 ---------- Z 1 0 1 ------------ 1 0 0 010.0 and 14.0 -------- 1 Z 1 0 ------------ 0 1 0 04. finally, convert the binary value to decimal: 5.0 and 13.0 ---------- Z 1 0 1 ------------ 1 0 0 -------- 810.0 and 14.0 -------- 1 Z 1 0 ------------ 0 1 0 -------- 4. Finally, the result is as follows: access-list 10 permit 199.172.5.0 0.0.8.0access-list 11 permit 199.172.10.0 0.0.4.0