range hosts in ACL using wildcard mask

macwhizardmacwhizard Member Posts: 66 ■■□□□□□□□□
Is it possible to specify a range of hosts in ACL using wildcard masks ?

eg.

192.168.2.10 to 192.168.2.70, using default subnet mask.
«1

Comments

  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    To find the wildcard mask for a range, you take the higher minus the lower:
    192.168.2.70
    -192.168.2.10
    0.0.0.60

    access-list 1 permit 192.168.2.10 0.0.0.60

    It's been a while for me, so hopefully a more able Cisco person can confirm this.
    All things are possible, only believe.
  • forbeslforbesl Member Posts: 454
    Sorry, but that ain't gonna work like you think it will.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    forbesl wrote:
    Sorry, but that ain't gonna work like you think it will.
    Then please enlighten me! :)
    All things are possible, only believe.
  • forbeslforbesl Member Posts: 454
    You won't be able to permit only that range of IP addresses because in doing so you're trying to cross a subnet mask boundary.
  • unwritt3nunwritt3n Member Posts: 67 ■■□□□□□□□□
    sprkymrk wrote:
    To find the wildcard mask for a range, you take the higher minus the lower:
    192.168.2.70
    -192.168.2.10
    0.0.0.60

    access-list 1 permit 192.168.2.10 0.0.0.60

    It's been a while for me, so hopefully a more able Cisco person can confirm this.

    Im pretty sure thats corrent... ACLs is not a strong area for me, but Ive done it like that in a practice test and got it right.
    Studying: 70-290, CCNP 1, CCSP 1
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    forbesl wrote:
    You won't be able to permit only that range of IP addresses because in doing so you're trying to cross a subnet mask boundary.
    Okay, but what is the correct way? You still haven't told us.
    icon_confused.gif:
    All things are possible, only believe.
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    sprkymrk wrote:
    forbesl wrote:
    You won't be able to permit only that range of IP addresses because in doing so you're trying to cross a subnet mask boundary.
    Okay, but what is the correct way? icon_confused.gif:

    You would need 192.168.2.0 0.0.0.127

    10 = 00001010
    70 = 01000110

    The 1 at the left signifies the wildcard so for a range of addresses you need to include the 1 and all bits to the right of the one.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • BubbaJBubbaJ Member Posts: 323
    ed_the_lad wrote:
    You would need 192.168.2.0 0.0.0.127

    10 = 00001010
    70 = 01001100

    The 1 at the left signifies the wildcard so for a range of addresses you need to include the 1 and all bits to the right of the one.
    That would include the entire range of 192.168.2.1 to 192.168.2.127, which may or may not be a bad thing. If an exact match is needed, it will take several statements.
  • forbeslforbesl Member Posts: 454
    Of course that would work, however that would permit more than the range he specified to begin with. That wildcard would permit hosts 1 - 126, and not just 10 through 70 as in the question. You're not gonna get a single wildcard mask that will permit (or block) only that range of IP addresses.


    sprkymrk:

    Do this on a real router:

    access-list 1 permit 192.168.2.10 0.0.0.60

    Then do this:

    sh ip access-list 1

    See what it tells you....you'll understand what I'm talking about.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    ed_the_lad wrote:
    sprkymrk wrote:
    forbesl wrote:
    You won't be able to permit only that range of IP addresses because in doing so you're trying to cross a subnet mask boundary.
    Okay, but what is the correct way? icon_confused.gif:

    You would need 192.168.2.0 0.0.0.127

    10 = 00001010
    70 = 01001100

    The 1 at the left signifies the wildcard so for a range of addresses you need to include the 1 and all bits to the right of the one.
    I think that includes more than the 61 hosts in his example of 192.168.2.10-70. I think your example allows access to half the 192.168.10.2 subnet, or about 128 hosts, doesn't it?
    All things are possible, only believe.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Hmmm. I think that each non-zero value must be one less than a power of 2 in order to avoid crossing valid subnets, so real close (easy but not exact) wildcard mask would be:

    access-list 1 permit 192.168.2.10 0.0.0.63

    Does that seem right?
    Doggone wildcard masks... icon_mad.gif
    All things are possible, only believe.
  • macwhizardmacwhizard Member Posts: 66 ■■□□□□□□□□
    ed_the_lad wrote:

    You would need 192.168.2.0 0.0.0.127

    10 = 00001010
    70 = 01001100

    The 1 at the left signifies the wildcard so for a range of addresses you need to include the 1 and all bits to the right of the one.

    does this also mean ip's x.x.2.1 to x.x.2. 128 are affected ?.

    could you explain more ?. i understand wildcard masks are counted from right to left, unlike subnet masks and supports un-usual masks like
    binary 11000101 = 00111010 wildcard.
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    I was only giving you an example since you didnt remember the masks.
    If i was feeling energic i could have given an exact match.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • brAunbrAun Member Posts: 66 ■■□□□□□□□□
    This is my solution i am not sure if this is right, please correct me if i am wrong :
    1. deny host 0 - 7
    2. deny host 8 and 9
    3. permit host 0 - 63
    4. permit host 64 - 71
    5. deny host 71

    wildcard mask
    1. access list deny 192.168.2.0 0.0.0.7
    2.access list deny 192.168.2.0 0.0.0.9
    3.access list permit 192.168.2.0 0.0.0.63
    4.access list permit 192.168.2.0 0.0.0.71
    5.access list deny 192.168.2.71 0.0.0.0

    i couldn't find 1 wildcard mask that could permit a range of host 10 - 70. so i think u need five access lists to make that happen. please correct me if i am wrong. as i really want to know if any better solution. Thanks :D
    Failure is the mother of success, just never stop trying :)
  • macwhizardmacwhizard Member Posts: 66 ■■□□□□□□□□
    ed_the_lad wrote:
    ....i could have given an exact match.

    no need for that, this wildcard is making me nuts icon_mad.gif . so i need to clear everything before i move to the next chapter.

    edit:
    and yes, this is for lab practice.
  • brAunbrAun Member Posts: 66 ■■□□□□□□□□
    i don't think u can use 1 wildcard mask to specify that range of host in the network. as my solution u need more than 1 wild card mask..
    Failure is the mother of success, just never stop trying :)
  • brAunbrAun Member Posts: 66 ■■□□□□□□□□
    if u are working on a lab now, u can use my solution... i am confident that will work on the router to allow only host range between 10 -70. but i hope if any1 could give me a better solution... :D
    Failure is the mother of success, just never stop trying :)
  • BubbaJBubbaJ Member Posts: 323
    brAun wrote:
    This is my solution i am not sure if this is right, please correct me if i am wrong :
    1. deny host 0 - 7
    2. deny host 8 and 9
    3. permit host 0 - 63
    4. permit host 64 - 71
    5. deny host 71

    wildcard mask
    1. access list deny 192.168.2.0 0.0.0.7
    2.access list deny 192.168.2.0 0.0.0.9
    3.access list permit 192.168.2.0 0.0.0.63
    4.access list permit 192.168.2.0 0.0.0.71
    5.access list deny 192.168.2.71 0.0.0.0

    i couldn't find 1 wildcard mask that could permit a range of host 10 - 70. so i think u need five access lists to make that happen. please correct me if i am wrong. as i really want to know if any better solution. Thanks :D
    This is almost right. The line 2 subnet and wildcard mask are wrong; it needs to be 192.168.2.8 0.0.0.1 to exclude the .8 and .9 addresses. Line 4 needs to be 192.168.64 0.0.0.7 to include .64 to .71. Line 5 needs to be before line 4.

    It might be easier to deny all the ranges needed, then permit the enite Class C range.
  • brAunbrAun Member Posts: 66 ■■□□□□□□□□
    yup, u are right, but i think line 2 is correct, u can use either my line 2 or deny 192.168.2.8 0.0.0.1. and thank for ur correction.... :D
    btw i don't think we will have this type of question in the exam
    Failure is the mother of success, just never stop trying :)
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Thanks brAun and BubbaJ. That makes perfect sense.
    All things are possible, only believe.
  • brAunbrAun Member Posts: 66 ■■□□□□□□□□
    sry, i just figure out, ur solution for line 2 is more correct to deny host 8 and 9.
    the line 2 that i use was denying 0,1,8 and 9.
    thanks for that i have learn something :D
    Failure is the mother of success, just never stop trying :)
  • brAunbrAun Member Posts: 66 ■■□□□□□□□□
    u are welcome, sprkymrk
    i am learning something from this question too
    Failure is the mother of success, just never stop trying :)
  • BubbaJBubbaJ Member Posts: 323
    brAun wrote:
    but i think line 2 is correct, u can use either my line 2 or deny 192.168.2.8 0.0.0.1.
    No. Look at 9 in binary 1001. There are 2 "don't care" bits. That means it has 4 (2^2) don't care addresses (.0,.1,.8,.9), but you only wnat 2 don't care addresses (.8 and .9) per your logic. Although the other 2 addresses are taken care of by the previous statement, this is a poor practice that can bite you in the butt. Each statement should be as exact as possible. Technically it will work, but I'm willing to bet that it would be counted wrong on a Cisco exam.

    I still think it would be better to deny all the ranges you don't want in the Class C network, then permit the entire Class C address range.
  • brAunbrAun Member Posts: 66 ■■□□□□□□□□
    yup, that's would be more exactly on host 8 and 9. and its good to know we can count the bits we ignore to know how many host that we deny or permit (2 ^ 2 = 4host).

    that's really great,i am learning 1 more thing in here hehehe :D

    thanks BubbaJ
    Failure is the mother of success, just never stop trying :)
  • forbeslforbesl Member Posts: 454
    sprkymrk wrote:
    Okay, but what is the correct way? You still haven't told us.
    icon_confused.gif:
    Oh....you wanted me to give you the answer? icon_lol.gif

    Since you're a CCNA, I just figured you'd be able to do that for yourself.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Yeah, 9 months Cisco Academy and a 1 week boot camp - then all I use are a few dozen Cisco 2950 switches for the past 3 years. I have mentioned many times in the last few weeks of posts that my CCNA expires in November but I probably won't renew it until early next year.

    Also, I don't think ACL's (and especially wild card masks) are much more than glossed over or mentioned "in passing" for CCNA.

    Anyway, it's been a good refresher. And I did say
    sprkymrk wrote:
    It's been a while for me, so hopefully a more able Cisco person can confirm this.

    I always cover my butt.... :)
    All things are possible, only believe.
  • macwhizardmacwhizard Member Posts: 66 ■■□□□□□□□□
    Thanks guys.

    i really need to know how this wildcard thing work. it seems really confusing.
    wildcard bits. 0= exact match, 1=any/ignore
    00000000.00000000.00000000.00100000 mean all, except the 27th bit must match


    for eg. default wildcard mask of 192.168.0.0 /24 is 0.0.0.255

    but if i use blocksize 64 (binary x.x.x.00111111 1+2+4+8+16+32 = 63) with ip's configured using default mask /24

    deny 192.168.0.0 0.0.0.63, and permit any, does it mean, it will deny hosts 192.168.0.192 onwards (bin x.x.x.11000000 is exact match) and only allow hosts x.x.x.1 to 191 ?.

    if wrong, please explain with binary examples.
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    macwhizard wrote:
    Thanks guys.

    i really need to know how this wildcard thing work. it seems really confusing.
    wildcard bits. 0= exact match, 1=any/ignore
    00000000.00000000.00000000.00100000 mean all, except the 27th bit must match


    for eg. default wildcard mask of 192.168.0.0 /24 is 0.0.0.255

    but if i use blocksize 64 (binary x.x.x.00111111 1+2+4+8+16+32 = 63) with ip's configured using default mask /24

    deny 192.168.0.0 0.0.0.63, and permit any, does it mean, it will deny hosts 192.168.0.192 onwards (bin x.x.x.11000000 is exact match) and only allow hosts x.x.x.1 to 191 ?.

    if wrong, please explain with binary examples.

    The 1's in the wildcard masks are wildcards meaning anything in this bit location is acceptable.0 means an absolute match.
    If you have deny 192.168.0.0 0.0.0.63
    the 63 = 00111111 therefore anything in the last 6 digits will be denied.
    it will deny a range 0-63
    if you did deny 192.168.0.0 0.0.1.0, the 1 = 00000001 therefore you would deny addresses 192.168.0.x and 192.168.1.x
    permit any means allow all, remember an access list is read sequentually which means once a match is found it exits the list.If you put permit any at the start it wouldnt matter want comes next all is allowed.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    ed_the_lad wrote:
    If you put permit any at the start it wouldnt matter want comes next all is allowed.
    And of course the implicit deny any at the end of the ACL means if you have an ACL with a single deny statement but no allow, nothing at all gets through.
    All things are possible, only believe.
  • macwhizardmacwhizard Member Posts: 66 ■■□□□□□□□□
    ed_the_lad wrote:
    .... if you did deny 192.168.0.0 0.0.1.0, the 1 = 00000001 therefore you would deny addresses 192.168.0.x and 192.168.1.x

    icon_confused.gificon_confused.gif confusing when compared to this . is it just me ?.
Sign In or Register to comment.