acl wildcard

waymorrwaymorr Member Posts: 29 ■□□□□□□□□□
hi guys been on here a while but this is 1st post any help with this would be much appreciated.
if you are trying to write a single acl to cover multiple network addresses how is the acl
wildcard mask worked out?
for example:

172.16.4.0 255.255.255.0
172.16.5.0 255.255.255.0
172.16.6.0 255.255.255.0
172.16.7.0 255.255.255.0

cheers in advance

Comments

  • r_durantr_durant Member Posts: 486
    I'll make the assumption here that you can subnet...

    For the range you want to cover 172.16.4.0 - 7.0, to summarize that range, it falls in a /30 subnet...remember /30 is .252 mask and doing the math...256 - 252 gives you 4...

    Then your summarized range would look like this...172.16.4.0 255.255.252.0 and this covers 172.16.4.0 down to 172.16.7.255, with 4.0 being the subnet number and 7.255 being the broadcast address...

    So now we have this network address...172.16.4.0 255.255.252.0, to find the wildcard mask, the way I do it, is to subtract the mask 255.255.252.0 from 255.255.255.255...

    255.255.255.255
    255.255.252.0
    0.0.3.255

    Which gives 0.0.3.255 as the wildcard mask...

    Therefore your ACL can look something like this...

    access-list 1 permit|deny 172.16.4.0 0.0.3.255

    If you want to permit or deny to a specific destination or include ports then you would use an extended acl...

    Hopefully, I have explained it correctly... :)
    CCNA (Expired...), MCSE, CWNA, BSc Computer Science
    Working on renewing CCNA!
  • mikearamamikearama Member Posts: 749
    You're asking how aggregation works... also known as route summarization.

    So your networks are
    172.16.4.0 255.255.255.0
    172.16.5.0 255.255.255.0
    172.16.6.0 255.255.255.0
    172.16.7.0 255.255.255.0

    If you knew that this acl would cover the entire 172.16.0.0 group of subnets, you could use it, with a mask of 255.255.0.0.

    Since you specified only four subnets, they can be reduced to 172.16.4.0 255.255.252.0.

    Now in an acl, the wildcard mask is the exact opposite of the subnet mask, so something like:

    Access-list 101 deny tcp 172.16.4.0 0.0.3.255 any eq ftp

    This would deny anything from 4.0 through 7.255 from accessing anything beyond the router using ftp.

    That help?
    Mike
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • waymorrwaymorr Member Posts: 29 ■□□□□□□□□□
    cheers guys that clears it up for me :)
Sign In or Register to comment.