If you are asked to divide subnets into two groups of computers, some in the upper range, and some in the lower range, you can apply some of these methods.

 

If you step back from the question, and apply some of your subnetting skills, you can see that dividing your hosts into two ranges is very much like Variable Length Subnet Masking, where you can “subnet a subnet”. You have a classful IP address which is subnetted, but then with ACLs you can virtually subnet an existing LAN for security purposes.  This effectively allows hosts on that LAN to communicate with each other without going through a router, but allows you to filter traffic leaving or entering that network at a router interface.

 

If you have a 209.32.95.0 network subnetted into 209.32.95.0 /28, you know that your custom subnet mask would be 255.255.255.240 How many hosts could you uniquely identify? You have 4 host bits, and 4 subnetting bits, so that gives you (2^4)-2=14 usable hosts, and (2^4)-2=14 usable subnets.

 

If we want to have fewer subnets and more hosts, we could go to 209.32.95.0 (255.255.255.224), which would give (2^5)-2 = 30 usable hosts and (2^3)-2=6 usable subnets.

 

If we turn the dial in the other direction, and want to have more subnets and fewer hosts per subnet, we could go to 209.32.95.0 /29 (255.255.255.248), which would have (2^3)-2 = 6 usable hosts, and (2^5)-2 = 30 usable subnets. Essentially, this would each of our original 255.255.255.240 subnets in half, allowing only half the original hosts, and twice the number of subnets.

 

Applying this principle to ACLs, we can use the wildcard mask to apply an ACL to only a subset of our original LAN’s addresses. We need to determine the Subnetwork ID for the Addresses we would like to filter, and then apply an the proper wildcard mask.

 

209.32.95.0/28 is an existing Ethernet network we would like to control with ACLs. It is can also be shown as:

Network: 209.32.95.0 Subnet Mask: 255.255.255.240 , and you can see that the interesting octet happens to be the fourth octet.


209.032.095.00000000 – 209.032.095.000-- Subnet 0

255.255.255.11110000 – 255.255.255.240

209.032.095.00010000 – 209.032.095.016-- Subnet 1

209.032.095.00100000 -- 209.032.095.032-- Subnet 2

209.032.095.00110000 -- 209.032.095.048-- Subnet 3

209.032.095.01000000 -- 209.032.095.064-- Subnet 4

209.032.095.01010000 -- 209.032.095.080-- Subnet 5

209.032.095.01100000 -- 209.032.095.096-- Subnet 6

209.032.095.01110000 -- 209.032.095.112-- Subnet 7

209.032.095.10000000 -- 209.032.095.128-- Subnet 8

209.032.095.10010000 -- 209.032.095.144-- Subnet 9

209.032.095.10100000 -- 209.032.095.160-- Subnet 10

209.032.095.10110000 -- 209.032.095.176-- Subnet 11

209.032.095.10010000 -- 209.032.095.192-- Subnet 12

209.032.095.10100000 -- 209.032.095.208-- Subnet 13

209.032.095.10110000 -- 209.032.095.224-- Subnet 14

209.032.095.10010000 -- 209.032.095.240-- Subnet 15

 

If we map out Subnet 1, then we would see these attributes:

209.032.095.0001 0000 – 209.032.095.016—Subnet ID for Subnet 1

209.032.095.0001 0001 – 209.032.095.017 – First Host Possible in Range

… Host Range …

209.032.095.0001 1110 – 209.032.095.030 – Last Host Possible in Range

209.032.095.0001 1111 – 209.032.095.031 – Broadcast Address

 

209.032.095.0010 0000 -- 209.032.095.032—Subnet ID for Subnet 2

 

If I asked you to split Subnet 1 (209.032.095.016) in half, because we only need 6 hosts per subnet, rather than 14 hosts per subnet, then you might tell me to use 255.255.255.248 for my subnet mask.

 

255.255.255.1111 1 000 – 255.255.255.248

 

This would give us two subnets covering that same range of IP addresses we originally had in Subnet 1:

209.032.095.0001 0 000 – 209.032.095.016 — First Subnet or Half

209.032.095.0001 1 000 -- 209.032.095.024 – Second Subnet or Half

 

209.032.095.0001 0 001 – 209.032.095.017 – First Host Possible in Range

255.255.255.1111 1 000 -- 255.255.255.248 – Subnet Mask

209.032.095.0001 0 000 – 209.032.095.016 – Resulting Subnetwork ID after ANDing

 

209.032.095.0001 1 110 – 209.032.095.030 – Last Host Possible in Range

255.255.255.1111 1 000 -- 255.255.255.248 – Subnet Mask

209.032.095.0001 1 000 – 209.032.095.024 – Resulting Subnetwork ID after ANDing

 

Notice that in the second half of the .240 subnet, the fourth bit from the right must be a 1 to be able to get a value of 24,25,26,27,28,29,30,31. As an administrator you will be looking for something identifiable that jumps out from a garbled stream of data, or you will need to isolate something that is unique about a problem machine or IP address. In this case, we can identify an entire range of IP addresses by a network ID, and a Wildcard mask.

 

209.032.095.0001 0 000 – 209.032.095.016 – 0.0.0.0000 0 111 – First Half of Subnet

209.032.095.0001 1 000 -- 209.032.095.024 – 0.0.0.7 -- Second Half of Subnet

 

Examples:

 

209.032.095.0001 1 010 – 209.032.095.026 – This would be on the second half

000.000.000.0000 0 111 – 000.000.000.007 – Our Wildcard Mask

209.032.095.0001 1 000 – 209.032.095.024 – Comparing host with our Wildcard mask matches our network ID of .024, and this address would be permitted or denied.

 

209.032.095.0001 0 010 – 209.032.095.018 – This would be on the first half

000.000.000.0000 0 111 – 000.000.000.007 – Our Wildcard Mask

209.032.095.0001 0 000 – 209.032.095.016 – Comparing host with our Wildcard mask matches our network ID of .016, and this address would be permitted or denied depending on our ACL statements.

 

What if we want to prevent SNMP traffic from exiting from our upper range of addresses? What if we wanted to prevent that traffic from leaving this network and going to an untrusted network of 192.168.4.8?  We could apply an extended ACL on an interface to deny that traffic:

 

access-list 101 remark Block SNMP related traffic from Kuala Lampur LAN Production hosts to 192.168.4.8/24

access-list 101 deny udp 209.32.95.24 0.0.0.7 192.168.4.8 0.0.0.255 range snmp snmptrap

access-list 101 remark Allow web requests from entire Kuala Lampur LAN

access-list 101 permit tcp 209.32.95.16 0.0.0.31 any eq 80

access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.0