Can I use a wildcard mask of '0.0.0.2' ? 1

[GeneralDzur]

Here's the problem: Attempting to block MTV.com's IP addresses.

213.248.112.115
213.248.112.116

I don't want two lines in the ACL - is there an appropriate wildcard mask I can use instead? I was thinking 0.0.0.2, but I feel uneasy about it.

- stephan

 

[ADB100]

With wildcard masks you need to understand them in binary - set a bit to 0 and it means it must match, set a bit to 1 and it doesn't have to match. In your case we can use '0.0.0' to match the first 3 octets, but for the last octet we need to look at the binary at bit deeper:

115 - 01110011
116 - 01110100

As you can see we can only match up to the 5th bit; bits 6,7 & 8 are different. Therefore we can mask the first 5-bits with 0's and set the last 3-bits to 1's resulting in the mask:

7 - 00000111

Unfortunately this mask covers 7 numbers (0 thru 7). If the other addresses it covers are not important to you then you can use the ACL:

213.248.112.112 0.0.0.7

This will match against IP addresses 213.248.112.112 thru 119.

If the IP addresses would have been binary-contiguous then your mask could have been smaller - i.e. 4 & 5 can be matched with binary 00000001, because only the last bit changes - 4=00000100 & 5=00000101.

HTH

Andy

 

[GeneralDzur]

Thanks a million Andy, that was extremely helpful.

I'm looking up the other 5 addresses (nslookup & whois) to make sure they aren't critical.

Again thanks for helping me out.

- stephan

 

[ADB100]

For all the effort would it not just be easier to add 2 lines to the ACL...... ;o)

Glad it helped.

Andy

 

[GeneralDzur]

Well, I've wanted a chance to use a custom wildcard mask for a while, (to brush up on my memory/skills) and I thought this would be a good opportunity. Besides, our outgoing ACL already has over 35 entries to block websites by IP, and it's getting out of hand.

- stephan

 

[ADB100]

35 - believe me that is tiny compared to some customers internet facing routers I have worked on. I have even seen some that booted the configs off a TFTP server as the NVRAM was too small.
The other problem with using inverse masks is the day you are off work and someone who doesn't understand the logic too well changes it.......

Andy

 

[GeneralDzur]

Doesn't having lists that large slow down the routing? Our CPU is holding at about 10%, with rougly 35-40 lines blocking websites, and 8 or so lines allowing certain ports out.

CPU used to be at around 3%.

- stephan

 

[ADB100]

It depends on what platform and what switching mode you are using (cef, fast-switching etc). On older platforms such as the 2500 I think you may start eating CPU cycles the bigger the ACL, but with cef-capable platforms I think the ACL's are pushed down to the ASIC level and so don't eat into the CPU time.

Andy

 

[jneiberger]

35 lines in an ACL is nothing. We have ACLs with hundreds of entries. Simplicity, i.e. simple masks, is far better in the long run. Two entries with /32 masks is much cleaner and clearer than a single entry with a less comprehensible mask.

 

[GeneralDzur]

Well, I keep an updated text file describing exactly what each line in the ACL does, and when the line was added (date).

I have CEF enabled on the router; it's a 2621XM with a corrupted flash, so that the router thinks it doesn't exist, therefore obstructing our attempts at upgrading it's ancient IOS. So far it seems to be doing ok.

- stephan