Rules Facility Guide › Rules Reference › Specifying Terminal Addresses for the requester Variable › Specifying a Subnet Mask for IPV4 Addresses
Specifying a Subnet Mask for IPV4 Addresses
Dividing your TCP/IP network in subnets is useful for security and performance reasons. Terminals belong to the same subnet when their IPV4 addresses all have the same values for the network portion of the IPV4 address. For example, all terminals whose IPV4 addresses start with 10.0.80 are part of the same subnet. A subnet mask determines what subnet an IPV4 address belongs to.
When creating rules, you can append a subnet mask to the IPV4 address (the requester variable). This represents a mask value to be ANDed with both the IPV4 address specified on the rule and the TCP/IP user’s IPV4 address before CA VM:Secure compares them. Use a plus (+) character to separate the requester value from the mask on a rule.
Example
Your system uses an IPV4 subnet with the following requirements:
- Requesters must have a value of 10 in the first octet of their IPV4 address.
- Requesters with a value of 128‑255 in the second octet can access the network.
- Any value in the third and fourth octets is acceptable.
- You want to establish the following security rules:
- Allow an off–site contractor with a known IPV4 address to dial in to VTAM
- Allow all users in the company to dial in to VTAM
- Prevent any other IPV4 address from dialing in to VTAM
To satisfy your security requirements, add the following rules to the VTAM user rules file:
ACCEPT 199.10.89.1 DIAL (IPADDR
ACCEPT 10.128.0.0+255.128.0.0 DIAL (IPADDR
REJECT * DIAL (IPADDR
where 255.128.0.0 is the subnet mask.
The subnet mask can be broken down in this manner:
- The 255 in the mask first octet (with all of its bits turned on) means any value it is applied to remains unchanged.
- The 128 in the mask second octet (with only its left–most bit turned on) means only values greater than or equal to 128 will evaluate to true. This means decimal values 128, 129, ..., 255 are true while decimal values 0, 1, ..., 127 are false.
- The 0s in the mask third and fourth octets mean the third and fourth octets do not enter in the evaluation.
Based on the rules shown above:
- A request coming from IPV4 address 11.128.17.99 is not allowed because the first octet is not equal to 10.
- A request coming from IPV4 address 10.200.17.99 is allowed because the first octet is 10 and the second octet is in the 128 to 255 range. The third and fourth octets do not figure in the evaluation.
- A request coming from IPV4 address 10.23.17.99 is not allowed because the second octet is not in the 128 to 255 range.
Copyright © 2014 CA.
All rights reserved.
|
|