cisco hands-on experience


Calculate ACL with suitable mask

Calculate ACL with suitable mask

Last week i stumbled over a miracle, how to calculate the appropriate mask for a special ip range.
My colleagues and i discussed arp inspection and a strange associated acl setting method.
I never ever see a acl like this:

arp access-list default-gw
deny ip 0.0.0.1 255.255.255.0 mac any log
permit ip any mac any

I decide to set the mask to 255.255.252.0 for a 22 bit range. My colleagues disagree with my decision
and they forced me to explain. But i can’t. So – i have to do a deeper look into calculation a mask/wildmask.

Purpose:

ARP inspection prevents a client that is connected to an access port from responding with its MAC address although it does not have the IP address that is queried. The process known as ARP spoofing is used for conscious attacks on the network or user (such as Man in the Middle attacks).

A ‘Man in the Middle’ attacker can send arp replies and therefore manipulate the cam table.
Hosts automatically respond to apr replies. The aim is to prevent these. Attacker on the edge/access ports
have to be prevented from being a gateway address. In our case the digit 1 in the fourth octet.

The features are currently used in the ‘static’ version for checking ARP replies to ARP requests according to the default gateway.

An access list is configured that prevents the ARP replies for the default gateway address of the VLANs (*.*.*.1/24) to access ports. At the same time, the uplink ports are configured as ‘trusted’ so that ARP replies from the VLAN interfaces are possible. This ensures that only the VLAN interfaces can reply to ARP requests according to a VLAN’s default gateway.

Transformation:

A common wild mask or inverse mask starts from the right site with active bits. But it is possible to use a mask/wildmask of the choice you want to use respectively what you calculate for your special purposes.

Access-list and wildmask are calculated with AND and XOR logical gates.

AND
INPUT OUTPUT
A B A AND B
0 0 0
1 0 0
0 1 0
1 1 1
XOR
INPUT OUTPUT
A B A XOR B
0 0 0
1 0 1
0 1 1
1 1 0

With this background we start to calculate ‘any old’ ip address.

0.0.0.1       =  00000000.00000000.00000000.00000001
10.232.52.1   =  00001010.11101000.00110100.00000001
__________________________________________________________
AND Result    =  00000000.00000000.00000000.00000001

0.0.0.1       =  00000000.00000000.00000000.00000001
255.255.255.0 =  11111111.11111111.11111111.00000000
__________________________________________________________
XOR Result    =  11111111.11111111.11111111.00000001

I choose the ip address 10.232.52.1. It is the attackers ip address on the edge/access port section.
In the first step i calculate the given ip address of the attacker and the ip address of my ACL
with the AND logic gate. The result of the AND operation is 0.0.0.1. Perfect.

In the next step i take the result and calculate it against the wildmask with the given ACL.
The result is. 255.255.255.1.
Which ip address match the ACL? Every digits in the first, second and third octet.
Only the fourth octet match at number 1. Our gateway address for any possible ip address.

Therefore – we are right with our calculation example.

 

Logic Gates Compendium:
AND
INPUT OUTPUT
A B A and B
0 0 0
1 0 0
0 1 0
1 1 1
XOR
INPUT OUTPUT
A B A XOR B
0 0 0
1 0 1
0 1 1
1 1 0

 

OR
INPUT OUTPUT
A B A OR B
0 0 0
1 0 1
0 1 1
1 1 1
NAND
INPUT OUTPUT
A B A NAND B
0 0 1
1 0 1
0 1 1
1 1 0

 

NOR
INPUT OUTPUT
A B A NOR B
0 0 1
1 0 0
0 1 0
1 1 0
XNOR
INPUT OUTPUT
A B A XNOR B
0 0 1
1 0 0
0 1 0
1 1 1

 

NOT
INPUT OUTPUT
A NOT A
0 1
1 0
  1. google advertising rates Reply

    Very quickly this site will be famous amid all blogging and site-building viewers, due to it’s fastidious content

  2. Bertie C. Spilis Reply

    Simply wish to say your article is as astonishing.
    The clarity to your put up is just spectacular and that i
    can think you are a professional in this subject.
    Fine along with your permission allow me to seize your RSS feed to keep updated with forthcoming post.
    Thanks a million and please carry on the enjoyable work.

  3. Pamala Reply

    Heya i’m for the primary time here. I found this board and I find
    It truly useful & it helped me out much.

    I hope to offer oone thing back and help others like yoou aided me.

  4. Rachael Reply

    Hi, everything is going nicely herde and ofcourse every one is sharing
    facts, that’s really fine, kedp up writing.

  5. Tanya Reply

    Hey There. I found your blog using msn. This is a very well
    written article. I wipl make sure to bookmark
    it and return to learn more of your useful info. Thanks for the post.
    I will certainly return.

  6. Danelle Reply

    It’s nearly impossible to find educated people on this topic, however, you sound
    like you knoiw what you’re talking about! Thanks

Leave a Reply

*

captcha *