Wildcard Masking Question

mattsthe2

What would be the statement to apply to ACL to include the follwoing networks
10.1.4.0/24 to 10.1.8.0/24?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

shednik

mattsthe2 wrote:

What would be the statement to apply to ACL to include the follwoing networks
10.1.4.0/24 to 10.1.8.0/24?

0.0.4.255 - the wild card mask

They way i usually calculate the wildcard mask is i look at the range of addresses and subtract the difference of the 2

10.1.8.255
10.1.4.0

wildcard mask = 0.0.4.255

tech-airman

mattsthe2 wrote:

What would be the statement to apply to ACL to include the follwoing networks
10.1.4.0/24 to 10.1.8.0/24?

mattsthe2,

What is 10.1.4.0 in binary?

mattsthe2

10 1 4 0

00001010 00000001 00000100 00000000

My first stab at the question i got what shednik got.
My my book said something different.

So i took the time to figure this out.

Apprently it is saying you need two Wildcast Masks as follows:

0.0.3.255 - this will cover the range 10.1.4.0 to 10.1.7.255
0.0.1.255 - this will cover the range 10.1.8.0 -10.1.8.255

Then i thought to myself why do i need two lines when i can get the job done in one with : 0.0.4.255

This is where i got confused a bit.

The explaination i have come up with (correct me if im wrong) is to look at the first subnet in the first IP address range. For example. 10.1.4.0 The subnet octet in this case the 3rd octet needs to be a base-2 number (1,2,4,8,16 etc). If its not match up or match down. In our example this is ok.

Then we need to look to the ending range network in this case 10.1.8.0. The third octet in this case is the subnetted octet, 8. This number should NOT be a base-2 number because its in the next subnetted range.

Please let me know if my explaination is correct or provide a reason why we need two Wildcast Masks.

NeonNoodle

mattsthe2 wrote:

What would be the statement to apply to ACL to include the follwoing networks
10.1.4.0/24 to 10.1.8.0/24?

To cover the subnets 10.1.4.0/24 to 10.1.8.0/24 you need two statements:

10.1.4.0 0.0.3.255 which covers 10.1.4.0 to 10.1.7.255
10.1.8.0 0.0.0.255 which covers 10.1.8.0 to 10.1.8.255

To see why, convert the third octets to binary and apply the rules for wildcard masks, i.e. a binary zero means the bit must match and a binary one means the bit can be either one or zero.

shednik

NeonNoodle wrote:

mattsthe2 wrote:

What would be the statement to apply to ACL to include the follwoing networks
10.1.4.0/24 to 10.1.8.0/24?

To cover the subnets 10.1.4.0/24 to 10.1.8.0/24 you need two statements:

10.1.4.0 0.0.3.255 which covers 10.1.4.0 to 10.1.7.255
10.1.8.0 0.0.0.255 which covers 10.1.8.0 to 10.1.8.255

To see why, convert the third octets to binary and apply the rules for wildcard masks, i.e. a binary zero means the bit must match and a binary one means the bit can be either one or zero.

I can see what you mean there but now my question is how would 2 ranges be applied to an interface going in the same direction??

mattsthe2

NeonNoodle wrote:

To see why, convert the third octets to binary and apply the rules for wildcard masks, i.e. a binary zero means the bit must match and a binary one means the bit can be either one or zero.

Yea my bad, 0.0.0.255 on the 2nd wildcard mask.

But im loosing you on how to see why. Can you explain a little further???

tech-airman

mattsthe2 wrote:

10 1 4 0

00001010 00000001 00000100 00000000

mattsthe2,

That's correct. What is 10.1.8.0 in binary?

mattsthe2

10 1 8 0

00001010 00000001 00001000 00000000

tech-airman

mattsthe2 wrote:

10 1 8 0

00001010 00000001 00001000 00000000

mattsthe2,

That's correct. Now, put the binary for 10.1.4.0 on top of the binary for 10.1.8.0 between code tags.

mattsthe2

tech-airman,
Your killing me here...

00001010 00000001 00000100 00000000
00001010 00000001 00001000 00000000

tech-airman

mattsthe2 wrote:
tech-airman,
Your killing me here...
00001010 00000001 00000100 00000000
00001010 00000001 00001000 00000000

mattsthe2,

Now, do you notice any common bits in both of those binary addresses? Common bits INCLUDES the '0's.

NeonNoodle

mattsthe2 wrote:

NeonNoodle wrote:

To see why, convert the third octets to binary and apply the rules for wildcard masks, i.e. a binary zero means the bit must match and a binary one means the bit can be either one or zero.

Yea my bad, 0.0.0.255 on the 2nd wildcard mask.

But im loosing you on how to see why. Can you explain a little further???

00001010.00000001.00000100.00000000-->10.1.4.0
00001010.00000001.00000101.00000000-->10.1.5.0
00001010.00000001.00000110.00000000-->10.1.6.0
00001010.00000001.00000111.00000000-->10.1.7.0

Look at the bolded sections. 10.1.4.0--10.1.7.0 don't vary except in the first two digits of the third octet (and in every digit of the fourth octet, too, but we aren't considering that right now). According to the wildcard mask rules, if the nth bit doesn't vary put a 0. If the nth bit varies put a 1. That why you get
00000000.00000000.00000011.11111111-->0.0.3.255 (The .255 is present because every digit of fourth octet does vary.)

00001010.00000001.00001000.00000000-->10.1.8.0
Can you explain why the wildcard mask for 10.1.8.0
is 0.0.0.255?

NeonNoodle

shednik wrote:

NeonNoodle wrote:

mattsthe2 wrote:

What would be the statement to apply to ACL to include the follwoing networks
10.1.4.0/24 to 10.1.8.0/24?

To cover the subnets 10.1.4.0/24 to 10.1.8.0/24 you need two statements:

10.1.4.0 0.0.3.255 which covers 10.1.4.0 to 10.1.7.255
10.1.8.0 0.0.0.255 which covers 10.1.8.0 to 10.1.8.255

To see why, convert the third octets to binary and apply the rules for wildcard masks, i.e. a binary zero means the bit must match and a binary one means the bit can be either one or zero.

I can see what you mean there but now my question is how would 2 ranges be applied to an interface going in the same direction??

access-list 1 deny 10.1.4.0 0.0.3.255
access-list 1 deny 10.1.8.0 0.0.0.255
access-list 1 permit any

ip access-group 1 out

The access list denies 10.1.4.0--10.1.8.255 outbound.

mattsthe2

tech-airman wrote:

mattsthe2,

Now, do you notice any common bits in both of those binary addresses? Common bits INCLUDES the '0's.

Yes the first second and forth octets all are common bit by bit.
The 3rd octet has the 1st, 2nd bits that are common also?

mattsthe2

NeonNoodle wrote:

00001010.00000001.00001000.00000000-->10.1.8.0
Can you explain why the wildcard mask for 10.1.8.0
is 0.0.0.255?

I think so. Because the 1st, 2nd and 3rd octets do not change or is ignored but the 4th octet does. The 255 specifies that it uses the whole 4th octet range. I.E 0-255 (00000000 - 11111111)

tech-airman

mattsthe2 wrote:

tech-airman wrote:

mattsthe2,

Now, do you notice any common bits in both of those binary addresses? Common bits INCLUDES the '0's.

Yes the first second and forth octets all are common bit by bit.
The 3rd octet has the 1st, 2nd bits that are common also?

mattsthe2,

That's correct. Now, what kind of bits are in the fourth octet? (choose all that apply)

Network
Subnetwork
Host

mattsthe2

tech-airman wrote:

mattsthe2 wrote:

tech-airman wrote:

mattsthe2,

Now, do you notice any common bits in both of those binary addresses? Common bits INCLUDES the '0's.

Yes the first second and forth octets all are common bit by bit.
The 3rd octet has the 1st, 2nd bits that are common also?

mattsthe2,

That's correct. Now, what kind of bits are in the fourth octet? (choose all that apply)
Network

Subnetwork

Host

Unless im making this overly compliated anything after the subnetwork bit is hosts bits.

Answer: Host

tech-airman

mattsthe2 wrote:

tech-airman wrote:

mattsthe2 wrote:

tech-airman wrote:

mattsthe2,

Now, do you notice any common bits in both of those binary addresses? Common bits INCLUDES the '0's.

Yes the first second and forth octets all are common bit by bit.
The 3rd octet has the 1st, 2nd bits that are common also?

mattsthe2,

That's correct. Now, what kind of bits are in the fourth octet? (choose all that apply)
Network

Subnetwork

Host

Unless im making this overly compliated anything after the subnetwork bit is hosts bits.

Answer: Host

mattsthe2,

That's correct. So what's the wildcard mask so far?

mattsthe2

tech-airman wrote:

That's correct. So what's the wildcard mask so far?

You lost me now.

Did i get it right in my second post, i think i hit the money from the start?

NeonNoodle

Let's try a different approach.

What range of addresses do the following statements cover?

1) 10.1.1.13 0.0.0.7

2) 10.1.1.16 0.0.0.7

3) 10.1.1.13 0.0.0.0
10.1.1.14 0.0.0.1
10.1.1.16 0.0.0.3
10.1.1.20 0.0.0.1

What is the difference between 1) and 2)? Why?

What is the difference between 1) and 3)? Why?

mattsthe2

NeonNoodle wrote:

Let's try a different approach.

What range of addresses do the following statements cover?

1) 10.1.1.13 0.0.0.7

2) 10.1.1.16 0.0.0.7

3) 10.1.1.13 0.0.0.0
10.1.1.14 0.0.0.1
10.1.1.16 0.0.0.3
10.1.1.20 0.0.0.1

What is the difference between 1) and 2)? Why?

What is the difference between 1) and 3)? Why?

1) 10.1.1.8 - 10.1.1.15
2) 10.1.1.16 - 10.1.1.31
3) 10.1.1.13 - 10.1.1.13

10.1.1.14 - 10.1.1.15
C) 10.1.1.16 - 10.1.1.19
D) 10.1.1.20 - 10.1.1.21

Whats the difference between 1 and 2.
1 is apart of a different subnetwork than 2. 1 falls under the 8 network and 2 falls under the 16 network.
How did i figure that out, i did the following:
255-7=248 i know that 248 has networks in multiples of 8 because its a /21.

What is the difference between 1) and 3)?
1 covers the entire range within that subnetwork and 3 doesnt cover any range except itself because its a /32 network.

r_durant

mattsthe2 wrote:

2) 10.1.1.16 - 10.1.1.31

I think this should be 10.1.1.16 - 10.1.1.23

mattsthe2

r_durant wrote:

mattsthe2 wrote:

2) 10.1.1.16 - 10.1.1.31

I think this should be 10.1.1.16 - 10.1.1.23

Yes your right, i think i needed sleep at that point.
Net: 0,8,16,24