>> Let's take a look at what a standard ACL looks like.First, the keyword access dash list followed by a number.Standard ACLs are uniquely identified by a number in the 1 to 99 range.Then comes either the word permit or deny based on what you're trying to do with the packet.Following that is the source IP addresswhich as we mentioned earlier could be a device's 32-bit IPV for address,a major classable network designation, or a specific subnet.The last parameter in a standard ACL is something called a wildcard maskand that there's explained.First off, wildcard mask sounds like a lot subnet mask.Like a subnet mask the wildcard mask is a 32-bit value written in dotted decimal notationbut that's where the similarities end.The purpose of a subnet mask is to identify which bits in an IP addressor network bits and which bits are host bits.The purpose of a wildcard mask is to tell the stateless packet filterwhich bits to check in an ACL statement.Let's start off simple using the following IP addressand wildcard mask combination, 129.21.00, 00.255.255.A 0 bit in the wildcard mask tells the router to check the corresponding bit in the IP address.A 1 bit in the wildcard mask tells the router to ignore the corresponding bit in the IP address.So in this IP address, wildcard mask combination of 129.21.00,00.255.255 tells us the router implementing the ACLif the first 16 bits follow the above pattern, it's a match.And I don't care about the last 16 bits.So any packet with a source IP address of 129.21 will match this ACL instructionwhich could either be a permit or deny statement.If it's a permit statement, packetswith the source IP address starting off with 129.21 will be led through.If it's a deny statement, packets with a source IP address startingwith 129.21 will be filtered, denied, dropped.What about this one?129.21.10, 000.255.Now the first 24 bits of the source IP address have to match for this ACL statement to match.This is one of the many subnets used at RIT madefrom the original classable network of 129.21.00/16.To permit or deny a specific host, the wildcard mask will have all 0s as seen here.A wildcard mask of all 0s means check all 32 bits in the IP address.They must match for the statement to match.
>> Unlike a subnet mask which always has a string of 1s at the beginning followedby a string of 0s at the end, a wildcard mask can follow any pattern of 1s and 0s.Consider this example.What do you think this IP address wildcard mask combination does?The first 0 in the wildcard mask means the first octetof the source IP address in the packet must match 129.The second 0 in the wildcard mask means that the second octetof the source IP address in the packet must match 21.The 255 at the end of the wildcard mask meansthat the last octet can be anything, we don't care about it.It's not checked.The 254 in the wildcard mask's third octet is representedin binary by seven 1s followed by one 0.The seven 1s mean don't check those corresponding bits in the IP address.The 0 on the far right bit of the octetwhich is the one's column means check the corresponding bit in the IP address.Since there is a 1 in the IP address position, that means an order for a packetto match the statement, the third octet has to have a 1 in the one's column.We don't care about the other 7 bits in the third octet.What this IP address wildcard mask combination does is match all odd numbered subnets at RIT.The only way to make an odd numbered binary is putting a 1 in the one's column.The strategy for something like this is simple.The less lines an ACL has, the more efficient inbound and outbound traffic will be.Let's say we want to deny student traffic from entering faculty networks.Let's also say that student traffic can originate from multiple subnets.Instead of configuring statements to deny traffic from each and every oneof those networks, we can design the network infrastructureso that student networks have an odd number in the third octet.And we can write one simple ACL instruction which will deny all packetsthat have an odd number in the third octet.Another difference between subnet masks and wildcard masks, you might have noticed,is that subnet masks use the digit 1 as the important bit correspondingwith a network bit in the IP address.Wildcard masks, on the other hand, use a 0 as the important bitwhich means check the corresponding bit in the IP address.We call the 1s in a wildcard mask the don't care bits because the corresponding bitsin the IP address are simply ignored.
转载于:https://www.cnblogs.com/sec875/articles/10028614.html
相关资源:JAVA上百实例源码以及开源项目