The INTENT of this list is obviously to block hosts on the Internet
from connecting to any of these IP addresses: 209.212.190.0 thru
209.212.190.7.
Guess what that filter really blocks? You may be surprised:
209.212.190.8, 209.212.190.16, 209.212.190.24, 209.212.190.32 etc ...
?!?!?!? Interesting indeed, want to know more?
The mask supplied to an access list indicates which bits are
significant. If the mask contains a 0 bit, that bit must be checked in
the address in question. If the mask contains a 1 bit, that bit is a
wildcard and is NOT checked. So far so good?
Thus the mask supplied above:
Dec 0. 0. 0. 248
Bin 00000000.00000000.00000000.11111000
indicates that the upper five bits in the last octet are wildcards
and are NOT to be checked. Lets compute an example now. We will use
an address that was SUPPOSED to be blocked: 209.212.190.4
Dec 209. 212. 190. 4
Bin 11010001.11010100.10111110.00000100
As specified by the mask, the upper five bits in the last octet are
ignored for comparison. So the address with the mask applied looks
like this:
Dec 209. 212. 190. 4
Bin 11010001.11010100.10111110._____100
The above address must now be compared with the original address
specified in the access list configuration which was:
Dec 209. 212. 190. 0
Bin 11010001.11010100.10111110.00000000
So lets do a bit for bit comparison. If the bits are equal I will
place an (=) sign under the column, if the bits are no equal I will
place a (!) sign under the column, and if the bits are to be ignored I
will place a (I) under the column.
Address w/ mask: 11010001.11010100.10111110._____100
Original address: 11010001.11010100.10111110.00000000
------------------------------------------------------
======== ======== ======== IIIII!==
Notice that all the significant bits are NOT equal!! This indicates
there is NOT a match. All bits must be equal for a match!! Thus a
packet with a destination address of 209.212.190.4 will be PERMITTED!!
This is just the OPPOSITE of the desired access list!!
Even an address such as 209.212.190.44 is allowed. Lets do the math:
Dec 209. 212. 190. 44
Bin 11010001.11010100.10111110.00101100
Address w/ mask: 11010001.11010100.10111110._____100
Original address: 11010001.11010100.10111110.00000000
------------------------------------------------------
======== ======== ======== IIIII!==
Looky here, same result as before!! No match. Well, you may be
asking, what would match? The only addresses that match are addresses
with the last 3 bits in the last octet which are 0. This would be
anything such as 8, 16, 24, 32, etc... Here is an example:
Dec 209. 212. 190. 24
Bin 11010001.11010100.10111110.00011000
Address w/ mask: 11010001.11010100.10111110._____000
Original address: 11010001.11010100.10111110.00000000
------------------------------------------------------
======== ======== ======== IIIII===
We finally have a match that would be blocked!! So with all that
said, you are wondering, or you have already figured out what the
correct mask should be: 0.0.0.7
Dec 0. 0. 0. 7
Bin 00000000.00000000.00000000.00000111
indicates that the last three bits in the last octet are wildcards
and are NOT to be checked. Lets compute the example now with a packet
destined to 209.212.190.4:
Dec 209. 212. 190. 4
Bin 11010001.11010100.10111110.00000100
Address w/ mask: 11010001.11010100.10111110.00000___
Original address: 11010001.11010100.10111110.00000000
------------------------------------------------------
======== ======== ======== =====III
We have a match!! As you can see, this mask would prevent anyone from
connecting to 209.212.190.0 thru 209.212.190.7. So the access list
should have been written like this:
access-list 1 deny any 209.212.190.0 0.0.0.7
I hope this sheds some light on the subject. You'd be surprised how
many Cisco "experts" out there actually do not know the proper use of
access-lists with anything other than a 255 mask!!
Feel free to contact me with any questions and/or comments at
pete-web@kazmier.com.
