Question on Extended ACL

thenuggetbridgethenuggetbridge Registered Users Posts: 3 ■□□□□□□□□□
in CCNA & CCENT
Hi guys, am new to this forum so thanks in advance for all the help!

Am currently studying for CCENT/CCNA using Odom's OCG and currently on ACLs, but was confused by the questions and the answers given.

When do we change an octet's value to zero? Only when the wildcard mask is 255 or when the wildcard mask holds any value?

Like
access-list 110 deny ip host 10.1.2.3 0.0.0.255
vs
access-list 111 deny ip host 10.1.2.3 0.0.0.127

For the first case, we change the .3 in 10.1.2.3 to 0 because the mask is 255, but what about when the mask is 127?

Thanks in advance!
· Share on FacebookShare on Twitter

Comments

  • digitheadsdigitheads Member Posts: 39 ■■□□□□□□□□
    Is 127 valid ? regardless, the "3" should be zero there as well.
    · Share on FacebookShare on Twitter
  • d4nz1gd4nz1g Member Posts: 464
    Turn both of them into binary and you will understand it
    · Share on FacebookShare on Twitter
  • MooseboostMooseboost Member Posts: 778 ■■■■□□□□□□
    d4nz1g wrote: »
    Turn both of them into binary and you will understand it


    This advice will serve you well. Any misunderstandings or questions I had about wildcard masks went away when I started looking at it from a binary perspective.
    · Share on FacebookShare on Twitter
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    When the subnet mask is a 0 for instance /24...255.255.255.0 we would have a 0.0.0.255 wildcard mask. 0's mean I don't care about the number.

    The second example you take the subnet mask subtracted from 255 and the result is the wildcard mask. If the subnet mask was .127....255-127 = 128 would be the wildcard mask.
    Security Certification Roadmap
    · Share on FacebookShare on Twitter
  • thenuggetbridgethenuggetbridge Registered Users Posts: 3 ■□□□□□□□□□
    thank you all for your feedback!

    access-list 111 deny ip host 10.1.2.3 0.0.0.127 was something i made up because i didn't really understand wildcard masks at the start. all is good now, though.

    going through everything in binary once made everything crystal clear
    · Share on FacebookShare on Twitter
  • james43026james43026 Member Posts: 303 ■■□□□□□□□□
    TechGuru80 wrote: »
    When the subnet mask is a 0 for instance /24...255.255.255.0 we would have a 0.0.0.255 wildcard mask. 0's mean I don't care about the number.

    The second example you take the subnet mask subtracted from 255 and the result is the wildcard mask. If the subnet mask was .127....255-127 = 128 would be the wildcard mask.


    This is incorrect. 0.0.0.127 is valid. If you try a wildcard mask of 0.0.0.128 you will receive the following message from Cisco IOS "Invalid address/mask combination (discontiguous mask)". This is because you did 255-127, 127 isn't a valid subnet mask, it would be 255.255.255.128 if you looked at the OP's example as a subnet mask, so 255-128=127. Just trying to clarify this for the OP to mitigate confusion for all.
    · Share on FacebookShare on Twitter
  • NansNans Member Posts: 160
    james43026 wrote: »
    This is incorrect. 0.0.0.127 is valid. If you try a wildcard mask of 0.0.0.128 you will receive the following message from Cisco IOS "Invalid address/mask combination (discontiguous mask)". This is because you did 255-127, 127 isn't a valid subnet mask, it would be 255.255.255.128 if you looked at the OP's example as a subnet mask, so 255-128=127. Just trying to clarify this for the OP to mitigate confusion for all.

    The simplest thing to do is remove 1 from the number of hosts possible that for 255.255.255.128 you still have 128 hosts left (although only 126 are valid) just remove 1 now from 128 which is 127 and there it is the mask should be 0.0.0.127

    few more examples

    255.255.255.224-- mask 0.0.0.31 (host possible= 32 -1=31)
    255.255.255.248-- mask 0.0.0.7 (hosts possible=8-1=7)
    255.255.255.192-- mask 0.0.0.63 (hosts possible=64-1=63)
    255.255.224.0-- mask 0.0.31.255 (we will consider teh interesting octet which is 3rd so remaining=32-1=31 and since it is a class B and teh entire 4th octet is for hosts we dont care what it is which gives it a value of 255(all 1's) )

    Well as i always say m still learning and if this is wrong please correct me .

    Regards
    2016 Certification Goals: CCNP Route /COLOR][B][/B][I][B]X[/B][/I][COLOR=#008000-->Switch/COLOR]:study:[COLOR=#ff8c00-->TShoot[], CCDP []
    · Share on FacebookShare on Twitter
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    james43026 wrote: »
    This is incorrect. 0.0.0.127 is valid. If you try a wildcard mask of 0.0.0.128 you will receive the following message from Cisco IOS "Invalid address/mask combination (discontiguous mask)". This is because you did 255-127, 127 isn't a valid subnet mask, it would be 255.255.255.128 if you looked at the OP's example as a subnet mask, so 255-128=127. Just trying to clarify this for the OP to mitigate confusion for all.
    I wasn't paying attention to specific numbers it was more the method.
    Security Certification Roadmap
    · Share on FacebookShare on Twitter
Sign In or Register to comment.