range hosts in ACL using wildcard mask
macwhizard
Member Posts: 66 ■■□□□□□□□□
in CCNA & CCENT
Is it possible to specify a range of hosts in ACL using wildcard masks ?
eg.
192.168.2.10 to 192.168.2.70, using default subnet mask.
eg.
192.168.2.10 to 192.168.2.70, using default subnet mask.
Comments
-
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
To find the wildcard mask for a range, you take the higher minus the lower:
192.168.2.70
-192.168.2.10
0.0.0.60
access-list 1 permit 192.168.2.10 0.0.0.60
It's been a while for me, so hopefully a more able Cisco person can confirm this.All things are possible, only believe. -
forbesl
Member Posts: 454
You won't be able to permit only that range of IP addresses because in doing so you're trying to cross a subnet mask boundary.
-
unwritt3n
Member Posts: 67 ■■□□□□□□□□
sprkymrk wrote:To find the wildcard mask for a range, you take the higher minus the lower:
192.168.2.70
-192.168.2.10
0.0.0.60
access-list 1 permit 192.168.2.10 0.0.0.60
It's been a while for me, so hopefully a more able Cisco person can confirm this.
Im pretty sure thats corrent... ACLs is not a strong area for me, but Ive done it like that in a practice test and got it right.Studying: 70-290, CCNP 1, CCSP 1 -
EdTheLad
Member Posts: 2,111 ■■■■□□□□□□
sprkymrk wrote:
Okay, but what is the correct way?forbesl wrote:You won't be able to permit only that range of IP addresses because in doing so you're trying to cross a subnet mask boundary.
:
You would need 192.168.2.0 0.0.0.127
10 = 00001010
70 = 01000110
The 1 at the left signifies the wildcard so for a range of addresses you need to include the 1 and all bits to the right of the one.Networking, sometimes i love it, mostly i hate it.Its all about the $$$$ -
BubbaJ
Member Posts: 323
That would include the entire range of 192.168.2.1 to 192.168.2.127, which may or may not be a bad thing. If an exact match is needed, it will take several statements.ed_the_lad wrote:You would need 192.168.2.0 0.0.0.127
10 = 00001010
70 = 01001100
The 1 at the left signifies the wildcard so for a range of addresses you need to include the 1 and all bits to the right of the one. -
forbesl
Member Posts: 454
Of course that would work, however that would permit more than the range he specified to begin with. That wildcard would permit hosts 1 - 126, and not just 10 through 70 as in the question. You're not gonna get a single wildcard mask that will permit (or block) only that range of IP addresses.
sprkymrk:
Do this on a real router:
access-list 1 permit 192.168.2.10 0.0.0.60
Then do this:
sh ip access-list 1
See what it tells you....you'll understand what I'm talking about. -
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
I think that includes more than the 61 hosts in his example of 192.168.2.10-70. I think your example allows access to half the 192.168.10.2 subnet, or about 128 hosts, doesn't it?ed_the_lad wrote:sprkymrk wrote:
Okay, but what is the correct way?forbesl wrote:You won't be able to permit only that range of IP addresses because in doing so you're trying to cross a subnet mask boundary.:
You would need 192.168.2.0 0.0.0.127
10 = 00001010
70 = 01001100
The 1 at the left signifies the wildcard so for a range of addresses you need to include the 1 and all bits to the right of the one.All things are possible, only believe. -
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
Hmmm. I think that each non-zero value must be one less than a power of 2 in order to avoid crossing valid subnets, so real close (easy but not exact) wildcard mask would be:
access-list 1 permit 192.168.2.10 0.0.0.63
Does that seem right?
Doggone wildcard masks...
All things are possible, only believe. -
macwhizard
Member Posts: 66 ■■□□□□□□□□
ed_the_lad wrote:
You would need 192.168.2.0 0.0.0.127
10 = 00001010
70 = 01001100
The 1 at the left signifies the wildcard so for a range of addresses you need to include the 1 and all bits to the right of the one.
does this also mean ip's x.x.2.1 to x.x.2. 128 are affected ?.
could you explain more ?. i understand wildcard masks are counted from right to left, unlike subnet masks and supports un-usual masks like
binary 11000101 = 00111010 wildcard. -
EdTheLad
Member Posts: 2,111 ■■■■□□□□□□
I was only giving you an example since you didnt remember the masks.
If i was feeling energic i could have given an exact match.Networking, sometimes i love it, mostly i hate it.Its all about the $$$$ -
brAun
Member Posts: 66 ■■□□□□□□□□
This is my solution i am not sure if this is right, please correct me if i am wrong :
1. deny host 0 - 7
2. deny host 8 and 9
3. permit host 0 - 63
4. permit host 64 - 71
5. deny host 71
wildcard mask
1. access list deny 192.168.2.0 0.0.0.7
2.access list deny 192.168.2.0 0.0.0.9
3.access list permit 192.168.2.0 0.0.0.63
4.access list permit 192.168.2.0 0.0.0.71
5.access list deny 192.168.2.71 0.0.0.0
i couldn't find 1 wildcard mask that could permit a range of host 10 - 70. so i think u need five access lists to make that happen. please correct me if i am wrong. as i really want to know if any better solution. Thanks
Failure is the mother of success, just never stop trying
-
macwhizard
Member Posts: 66 ■■□□□□□□□□
ed_the_lad wrote:....i could have given an exact match.
no need for that, this wildcard is making me nuts . so i need to clear everything before i move to the next chapter.
edit:
and yes, this is for lab practice. -
brAun
Member Posts: 66 ■■□□□□□□□□
i don't think u can use 1 wildcard mask to specify that range of host in the network. as my solution u need more than 1 wild card mask..Failure is the mother of success, just never stop trying
-
brAun
Member Posts: 66 ■■□□□□□□□□
if u are working on a lab now, u can use my solution... i am confident that will work on the router to allow only host range between 10 -70. but i hope if any1 could give me a better solution... Failure is the mother of success, just never stop trying
-
BubbaJ
Member Posts: 323
This is almost right. The line 2 subnet and wildcard mask are wrong; it needs to be 192.168.2.8 0.0.0.1 to exclude the .8 and .9 addresses. Line 4 needs to be 192.168.64 0.0.0.7 to include .64 to .71. Line 5 needs to be before line 4.brAun wrote:This is my solution i am not sure if this is right, please correct me if i am wrong :
1. deny host 0 - 7
2. deny host 8 and 9
3. permit host 0 - 63
4. permit host 64 - 71
5. deny host 71
wildcard mask
1. access list deny 192.168.2.0 0.0.0.7
2.access list deny 192.168.2.0 0.0.0.9
3.access list permit 192.168.2.0 0.0.0.63
4.access list permit 192.168.2.0 0.0.0.71
5.access list deny 192.168.2.71 0.0.0.0
i couldn't find 1 wildcard mask that could permit a range of host 10 - 70. so i think u need five access lists to make that happen. please correct me if i am wrong. as i really want to know if any better solution. Thanks
It might be easier to deny all the ranges needed, then permit the enite Class C range. -
brAun
Member Posts: 66 ■■□□□□□□□□
yup, u are right, but i think line 2 is correct, u can use either my line 2 or deny 192.168.2.8 0.0.0.1. and thank for ur correction....
btw i don't think we will have this type of question in the examFailure is the mother of success, just never stop trying -
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
Thanks brAun and BubbaJ. That makes perfect sense.All things are possible, only believe.
-
brAun
Member Posts: 66 ■■□□□□□□□□
sry, i just figure out, ur solution for line 2 is more correct to deny host 8 and 9.
the line 2 that i use was denying 0,1,8 and 9.
thanks for that i have learn something Failure is the mother of success, just never stop trying -
brAun
Member Posts: 66 ■■□□□□□□□□
u are welcome, sprkymrk
i am learning something from this question tooFailure is the mother of success, just never stop trying -
BubbaJ
Member Posts: 323
No. Look at 9 in binary 1001. There are 2 "don't care" bits. That means it has 4 (2^2) don't care addresses (.0,.1,.8,.9), but you only wnat 2 don't care addresses (.8 and .9) per your logic. Although the other 2 addresses are taken care of by the previous statement, this is a poor practice that can bite you in the butt. Each statement should be as exact as possible. Technically it will work, but I'm willing to bet that it would be counted wrong on a Cisco exam.brAun wrote:but i think line 2 is correct, u can use either my line 2 or deny 192.168.2.8 0.0.0.1.
I still think it would be better to deny all the ranges you don't want in the Class C network, then permit the entire Class C address range. -
brAun
Member Posts: 66 ■■□□□□□□□□
yup, that's would be more exactly on host 8 and 9. and its good to know we can count the bits we ignore to know how many host that we deny or permit (2 ^ 2 = 4host).
that's really great,i am learning 1 more thing in here hehehe
thanks BubbaJFailure is the mother of success, just never stop trying -
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
Yeah, 9 months Cisco Academy and a 1 week boot camp - then all I use are a few dozen Cisco 2950 switches for the past 3 years. I have mentioned many times in the last few weeks of posts that my CCNA expires in November but I probably won't renew it until early next year.
Also, I don't think ACL's (and especially wild card masks) are much more than glossed over or mentioned "in passing" for CCNA.
Anyway, it's been a good refresher. And I did saysprkymrk wrote:It's been a while for me, so hopefully a more able Cisco person can confirm this.
I always cover my butt.... All things are possible, only believe. -
macwhizard
Member Posts: 66 ■■□□□□□□□□
Thanks guys.
i really need to know how this wildcard thing work. it seems really confusing.wildcard bits. 0= exact match, 1=any/ignore
00000000.00000000.00000000.00100000 mean all, except the 27th bit must match
for eg. default wildcard mask of 192.168.0.0 /24 is 0.0.0.255
but if i use blocksize 64 (binary x.x.x.00111111 1+2+4+8+16+32 = 63) with ip's configured using default mask /24
deny 192.168.0.0 0.0.0.63, and permit any, does it mean, it will deny hosts 192.168.0.192 onwards (bin x.x.x.11000000 is exact match) and only allow hosts x.x.x.1 to 191 ?.
if wrong, please explain with binary examples. -
EdTheLad
Member Posts: 2,111 ■■■■□□□□□□
macwhizard wrote:Thanks guys.
i really need to know how this wildcard thing work. it seems really confusing.wildcard bits. 0= exact match, 1=any/ignore
00000000.00000000.00000000.00100000 mean all, except the 27th bit must match
for eg. default wildcard mask of 192.168.0.0 /24 is 0.0.0.255
but if i use blocksize 64 (binary x.x.x.00111111 1+2+4+8+16+32 = 63) with ip's configured using default mask /24
deny 192.168.0.0 0.0.0.63, and permit any, does it mean, it will deny hosts 192.168.0.192 onwards (bin x.x.x.11000000 is exact match) and only allow hosts x.x.x.1 to 191 ?.
if wrong, please explain with binary examples.
The 1's in the wildcard masks are wildcards meaning anything in this bit location is acceptable.0 means an absolute match.
If you have deny 192.168.0.0 0.0.0.63
the 63 = 00111111 therefore anything in the last 6 digits will be denied.
it will deny a range 0-63
if you did deny 192.168.0.0 0.0.1.0, the 1 = 00000001 therefore you would deny addresses 192.168.0.x and 192.168.1.x
permit any means allow all, remember an access list is read sequentually which means once a match is found it exits the list.If you put permit any at the start it wouldnt matter want comes next all is allowed.Networking, sometimes i love it, mostly i hate it.Its all about the $$$$ -
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
And of course the implicit deny any at the end of the ACL means if you have an ACL with a single deny statement but no allow, nothing at all gets through.ed_the_lad wrote:If you put permit any at the start it wouldnt matter want comes next all is allowed.All things are possible, only believe. -
macwhizard
Member Posts: 66 ■■□□□□□□□□
ed_the_lad wrote:.... if you did deny 192.168.0.0 0.0.1.0, the 1 = 00000001 therefore you would deny addresses 192.168.0.x and 192.168.1.x confusing when compared to this . is it just me ?.
