by Tony Mattke on May 19, 2010
Unlike subnet masks, wildcard masks allow you to use discontiguous bits which enable you to match on a range of values. Using these within routing protocols is typically frowned upon, if not outright prohibited. Unfortunately, there are those individuals who strive to trim every line they can from their ACLs. Can you say job security through routing obscurity? The downside to using these masks is that the more complex they get, the more unintentional traffic they allow in. In all sense of reality, they should never be used in production networks.
I’ll reiterate that statement. Do not use in productions networks unless you know, and completely understand the consequences!
An Illogical Example
For our first example, lets take 3 random /24s and match them with one single statement. The first thing we have to do is come up with your network address. After we convert our networks to binary, we need to perform AND logic on them. The result will be our network address.
74.18.23.0/24 - 01001010 . 00110010 . 00010111 . 00000000
68.34.14.0/24 - 01000100 . 00100010 . 00001110 . 00000000
84.51.20.0/24 - 01010100 . 00110011 . 00010100 . 00000000
AND Result ---- 01000000 . 00100010 . 00000100 . 00000000 = 64.34.4.0
[ read more... ]
by Tony Mattke on April 20, 2010
Have you ever needed to access a site that had an IP restriction, or one inside your remote network? Recently I need to access a customers remote monitoring site, but its restricted to a small subnet of IPs. They had no VPN setup for me, so I had to come up with something new…
The answer was creating an ssh connection to their network firewall, which happened to be a custom Linux box I had access to. The setup is actually quite simple, and requires no changes to the remote host. The following command will create a local proxy for your machine to use on port 8080.
hackpro:~# ssh -q2nCTN -D 8080 user@hostname
[ read more... ]
by Tony Mattke on April 19, 2010
Netcat or nc, is a forgotten tool in too many arsenals these days. It lays dormant waiting at the command line to make connections across the globe for you. Knowing how to use it, could ease many of your day to day tasks. Simply put, netcat creates a TCP socket either in listening mode (server) or a socket that is used to connect to a server (client).
One of the simplest examples is to use it for a chat server / client. Lets assume were starting the server on a host with an ip address of 198.19.6.8 and were going to use port 8888. The following example allows us to setup a connection between the two hosts and type messages back and forth using stdin.
server:~$ nc -lp 8888
... in a subnet far far away
client:~$ nc 198.19.6.8 8888
[ read more... ]
by Tony Mattke on March 27, 2010
Recently a “colleague”, I use that term very loosely here, was reviewing my recommendations for changes on his network. Since they’re rather tight on public IP space, and require it for a few of their PTP links, I had suggested changing them to /31 subnets. His response was less than accepting of the changes as he did everything but call me a liar.
Nonetheless, RFC 3021 first introduced the idea of thirty-one bit subnets as a means to increase the utilization of IP space in point-to-point address space. Since then most manufacturers have made a move to support the standard. Cisco’s IOS has supported the feature since version 12.2(2)T.
[ read more... ]
by Tony Mattke on May 7, 2009
One of the questions I get asked several times a week by my clients is as such. While most people never associate latency with the amount of data they can send across a single TCP stream, engineers need to understand this concept.
Luckily, someone has done most of the leg work for us. Many years ago, a college forwarded me a thesis paper written by Jesper Dangaard Brouer from Copenhagen University in Denmark. While this paper mainly focuses on issues concerning ADSL, he does analyze our exact question on page 21. (28 on the pdf)
[ read more... ]
Recent Comments