Example: Secondary Element Processing—Address Range Exception - Analytics Database - Teradata Vantage

Security Administration
Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2024-04-05
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantage™

The secondary element can also specify an exception for a range of IP addresses that are contained within the larger range defined by the primary element.

  • Instead of a single IP address exception, you can deny access to IP addresses for several computers in the company, for example, work stations 192.0.2.192 through 192.0.2.255, with the following deny element:
    <deny ip=“192.0.2.255/

    The deny element is equivalent to the following binary number:

    11000000.00000000.00000010.11111111

    The 255 in the final segment of the deny IP is optional. You can use any number between 192 and 255 to give the same results, based on the mask construction shown in the following bullet.

  • The following mask forces the filter to deny access to all workstations with IP addresses from 192.0.2.192 through 192.0.2.2555:
    255.255.255.192”/>

    This mask format indicates that only the last two bits of the fourth segment are significant. If you AND the binary values for the deny IP and the mask, the result shows why you can specify such a wide range of addresses in the forth segment of the deny IP.

    Deny IP  11000000.00000000.00000010.11111111
Mask     11111111.11111111.11111111.11000000
____________________________________________
Result   11000000.00000000.00000010.00000000

    The mask is equivalent to 26, and indicates that the first 26 bits (the bold characters in the result) of the incoming IP address must match the masked deny IP to access to deny the incoming IP address. All IP addresses from 192.0.2.192 through 192.0.2.255 match the bold characters. IP addresses from 192.0.2.192 through 192.0.2.191 have a value of zero for either bit 25 or 26 (or both), do not match all 26 significant binary values, and therefore are not denied.

    The restriction process applies the range of the secondary element, whether it is an allow or a deny, to the binary string from left to right, that is, high to low address. The further to the left you extend the zeros in the mask, the more restrictive the secondary deny. For example, a partial mask of the third segment significantly increases the range addresses affected.