Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Cisco
CCST & CCNA (Entry-level & Associate)
acl wildcard
waymorr
hi guys been on here a while but this is 1st post any help with this would be much appreciated.
if you are trying to write a single acl to cover multiple network addresses how is the acl
wildcard mask worked out?
for example:
172.16.4.0 255.255.255.0
172.16.5.0 255.255.255.0
172.16.6.0 255.255.255.0
172.16.7.0 255.255.255.0
cheers in advance
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
r_durant
I'll make the assumption here that you can subnet...
For the range you want to cover 172.16.4.0 - 7.0, to summarize that range, it falls in a /30 subnet...remember /30 is .252 mask and doing the math...256 - 252 gives you 4...
Then your summarized range would look like this...172.16.4.0 255.255.252.0 and this covers 172.16.4.0 down to 172.16.7.255, with 4.0 being the subnet number and 7.255 being the broadcast address...
So now we have this network address...172.16.4.0 255.255.252.0, to find the wildcard mask, the way I do it, is to subtract the mask 255.255.252.0 from 255.255.255.255...
255.255.255.255
255.255.252.0
0.0.3.255
Which gives 0.0.3.255 as the wildcard mask...
Therefore your ACL can look something like this...
access-list 1 permit|deny 172.16.4.0 0.0.3.255
If you want to permit or deny to a specific destination or include ports then you would use an extended acl...
Hopefully, I have explained it correctly...
mikearama
You're asking how aggregation works... also known as route summarization.
So your networks are
172.16.4.0 255.255.255.0
172.16.5.0 255.255.255.0
172.16.6.0 255.255.255.0
172.16.7.0 255.255.255.0
If you knew that this acl would cover the entire 172.16.0.0 group of subnets, you could use it, with a mask of 255.255.0.0.
Since you specified only four subnets, they can be reduced to 172.16.4.0 255.255.252.0.
Now in an acl, the wildcard mask is the exact opposite of the subnet mask, so something like:
Access-list 101 deny tcp 172.16.4.0 0.0.3.255 any eq ftp
This would deny anything from 4.0 through 7.255 from accessing anything beyond the router using ftp.
That help?
Mike
waymorr
cheers guys that clears it up for me
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
