-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.2
-
About This Guide
-
Quick Start Steps
-
Introduction to the Firewall Services Module
-
Configuring the Switch for the Firewall Services Module
-
Connecting to the Firewall Services Module and Managing the Configuration
-
Configuring the Firewall Mode
-
Managing Security Contexts
-
Configuring Basic Settings
-
Configuring Bridging Parameters and ARP Inspection
-
Configuring IP Addresses, Routing, and DHCP
-
Configuring Network Address Translation
-
Controlling Network Access with Access Control Lists
-
Allowing Remote Management
-
Configuring AAA
-
Configuring Application and Protocol Inspection
-
Filtering HTTP, HTTPS, or FTP Requests Using an External Server
-
Using Failover
-
Managing Software and Configuration Files
-
Monitoring and Troubleshooting the Firewall Services Module
-
Specifications
-
Sample Configurations
-
Understanding the Command-Line Interface
-
Addresses, Protocols, and Ports Reference
-
Acronyms and Abbreviations
-
Index
-
Feedback
Table Of Contents
Addresses, Protocols, and Ports Reference
Determining the Address to Use with the Subnet Mask
Addresses, Protocols, and Ports Reference
This appendix provides a quick reference for the following categories:
•
IP Addresses and Subnet Masks
IP Addresses and Subnet Masks
This section describes how to use IP addresses in the Firewall Services Module (FWSM). An IP address is a 32-bit number written in dotted decimal notation: four 8-bit fields (octets) converted from binary to decimal numbers, separated by dots. The first part of an IP address identifies the network on which the host resides, while the second part identifies the particular host on the given network. The network number field is called the network prefix. All hosts on a given network share the same network prefix but must have a unique host number. In classful IP, the class of the address determines the boundary between the network prefix and the host number.
This section includes the following topics:
Classes
IP host addresses are divided into three different address classes: Class A, Class B, and Class C. Each class fixes the boundary between the network prefix and the host number at a different point within the 32-bit address. Class D addresses are reserved for multicast IP.
•
•
•
Because Class A addresses have 16,777,214 host addresses, and Class B addresses 65,534 hosts, you can use subnet masking to break these huge networks into smaller subnets.
Private Networks
If you need large numbers of addresses on your network, and they do not need to be routed on the Internet, you can use private IP addresses that the Internet Assigned Numbers Authority (IANA) recommends (see RFC 1918). The following address ranges are designated as private networks that should not be advertised:
•
•
•
Subnet Masks
A subnet mask lets you convert a single Class A, B, or C network into multiple networks. With a subnet mask, you can create an extended network prefix that adds bits from the host number to the network prefix. For example, a Class C network prefix always consists of the first three octets of the IP address. But a Class C extended network prefix uses part of the fourth octet as well.
Subnet masking is easy to understand if you use binary notation instead of dotted decimal. The bits in the subnet mask have a one-to-one correspondence with the Internet address:
•
•
Example 1: If you have the Class B address 129.10.0.0 and you want to use the entire third octet as part of the extended network prefix instead of the host number, you must specify a subnet mask of 11111111.11111111.11111111.00000000. This subnet mask converts the Class B address into the equivalent of a Class C address, where the host number consists of the last octet only.
Example 2: If you want to use only part of the third octet for the extended network prefix, then you must specify a subnet mask like 11111111.11111111.11111000.00000000, which uses only 5 bits of the third octet for the extended network prefix.
You can write a subnet mask as a dotted decimal mask or as a /bits ("slash bits") mask. In Example 1, for a dotted decimal mask, you convert each binary octet into a decimal number: 255.255.255.0. For a /bits mask, you add the number of 1s: /24. In Example 2, the decimal number is 255.255.248.0 and the /bits is /21.
You can also supernet multiple Class C networks into a larger network by using part of the third octet for the extended network prefix. For example, 192.168.0.0/20.
Determining the Subnet Mask
To determine the subnet mask based on how many hosts you want, see Table D-1.
Table D-1 Hosts, Bits, and Dotted Decimal Masks
16,777,216
/8
255.0.0.0 Class A Network
65,536
/16
255.255.0.0 Class B Network
32,768
/17
255.255.128.0
16,384
/18
255.255.192.0
8,192
/19
255.255.224.0
4,096
/20
255.255.240.0
2,048
/21
255.255.248.0
1,024
/22
255.255.252.0
512
/23
255.255.254.0
256
/24
255.255.255.0 Class C Network
128
/25
255.255.255.128
64
/26
255.255.255.192
32
/27
255.255.255.224
16
/28
255.255.255.240
8
/29
255.255.255.248
4
/30
255.255.255.252
Do not use
/31
255.255.255.254
1
/32
255.255.255.255 Single Host Address
1 The first and last number of a subnet are reserved, except for /32, which identifies a single host.
Determining the Address to Use with the Subnet Mask
The following sections describe how to determine the network address to use with a subnet mask for a Class C-size and a Class B-size network:
Class C-Size Network Address
For a network between 2 and 254 hosts, the fourth octet falls on a multiple of the number of host addresses, starting with 0. For example, the 8-host subnets (/29) of 192.168.0.x are as follows:
192.168.0.0
192.168.0.0 to 192.168.0.7
192.168.0.8
192.168.0.8 to 192.168.0.15
192.168.0.16
192.168.0.16 to 192.168.0.31
...
...
192.168.0.248
192.168.0.248 to 192.168.0.255
1 The first and last address of a subnet are reserved. In the first subnet example, you cannot use 192.168.0.0 or 192.168.0.7.
Class B-Size Network Address
To determine the network address to use with the subnet mask for a network with between 254 and 65,534 hosts, you need to determine the value of the third octet for each possible extended network prefix. For example, you might want to subnet an address like 10.1.x.0, where the first two octets are fixed because they are used in the extended network prefix, and the fourth octet is 0 because all bits are used for the host number.
To determine the value of the third octet, follow these steps:
Step 1
For example, 65,536 divided by 4096 hosts equals 16.
Therefore, there are 16 subnets of 4096 addresses each in a Class B-size network.
Step 2
In this example, 256/16 = 16.
The third octet falls on a multiple of 16, starting with 0.
Therefore, the 16 subnets of the network 10.1 are as follows:
10.1.0.0
10.1.0.0 to 10.1.15.255
10.1.16.0
10.1.16.0 to 10.1.31.255
10.1.32.0
10.1.32.0 to 10.1.47.255
...
...
10.1.240.0
10.1.240.0 to 10.1.255.255
1 The first and last address of a subnet are reserved. In the first subnet example, you cannot use 10.1.0.0 or 10.1.15.255.
Protocols and Applications
This section provides information about the protocols and applications with which you may need to work when configuring the FWSM. It includes the following topics:
Possible literal values are ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, ipsec, nos, ospf, pcp, snp, tcp, and udp. You can also specify any protocol by number. The esp and ah protocols only work in conjunction with Private Link.
Note
Table D-2 lists the numeric values for the protocol literals.
Protocol numbers can be viewed online at the IANA website:
http://www.iana.org/assignments/protocol-numbers
TCP and UDP Ports
Table D-3 lists the literal values and port numbers; either can be entered in FWSM commands. See the following caveats:
•
•
•
Port numbers can be viewed online at the IANA website:
http://www.iana.org/assignments/port-numbers
ICMP Types
Table D-4 lists the ICMP type numbers and names that you can enter in FWSM commands:
