Options
ACL Wildcard
surfthegecko
Member Posts: 149
in CCNA & CCENT
Hi,
For whatever reason im struggling with the ACL wildcard bits.
Am I right in thinking that if you want to permit traffic to the following subnets:
192.168.3.0 --> 192.168.11.0
That you would use a 0.0.4.255 wildcard
I came to this conclusion by the following
192.168.3.0
0. 0.00000011.0
192.168.11.0
0. 0.00001011.0
Now the only binary digits that they have in common in the 3rd octect are the first 4, hence why I have chosen 4
Im pretty sure this is way off the mark.
If somebody could confirm if this is wrong/right, and maybe link me to any decent knowledge articles on this I would appreciate it.
Thanks
Nick
For whatever reason im struggling with the ACL wildcard bits.
Am I right in thinking that if you want to permit traffic to the following subnets:
192.168.3.0 --> 192.168.11.0
That you would use a 0.0.4.255 wildcard
I came to this conclusion by the following
192.168.3.0
0. 0.00000011.0
192.168.11.0
0. 0.00001011.0
Now the only binary digits that they have in common in the 3rd octect are the first 4, hence why I have chosen 4
Im pretty sure this is way off the mark.
If somebody could confirm if this is wrong/right, and maybe link me to any decent knowledge articles on this I would appreciate it.
Thanks
Nick
Comments
-
Options
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
You just invert the subnet mask. Subtract each octet from 255. Also, the octet will always be odd (or zero). -
Optionssurfthegecko
Member Posts: 149
But surely this means if you have the following neworks
192.168.3.0 /24
192.168.4.0 /24
.....
192.168.11.0 /24
They all use the same 255.255.255.0 network, so the wildcard mask would be 0.0.0.255
This would then define any others in the 192.168.x.0 /24 range as well.
If you only want it to do these few, how would you do it? -
Options
billscott92787
Member Posts: 933
surfthegecko wrote: »But surely this means if you have the following neworks
192.168.3.0 /24
192.168.4.0 /24
.....
192.168.11.0 /24
They all use the same 255.255.255.0 network, so the wildcard mask would be 0.0.0.255
This would then define any others in the 192.168.x.0 /24 range as well.
If you only want it to do these few, how would you do it?
Well it all depends, for example:
permit ip any 192.168.11.0 0.0.0.255 would permit any host to reach anything within the 192.168.11.0 subnet 192.168.11.0 - 192.168.11.255
The ACL's very, you can make ACLs that are only for certain ranges like:
192.168.11.0 0.0.0.3, you could do 192.168.11.0 0.0.0.7, Have you been able to access a router CLI from Cisco The best thing you can do is lab this out and get use to how to block certain ranges. It makes it a lot easier to understand. -
Optionssurfthegecko
Member Posts: 149
Unfortunately not
I understand you use 172.16.3.0 0.0.0.255 when you want to worry about the 172.16.3 network but none of the hosts
or
172.16.0.0 0.0.255.255 when you dont mind if its 172.16.3 /.4 /.5 .....
I just dont understand how you come up with ones where its digits other than 0 or 255
If thats make sense.
How do you come to 0.0.3.255 or 0.0.0.3
If you have examples of how this is derived i would be much appreciated.
Thanks -
Optionsbillscott92787
Member Posts: 933
surfthegecko wrote: »Unfortunately not
I understand you use 172.16.3.0 0.0.0.255 when you want to worry about the 172.16.3 network but none of the hosts
or
172.16.0.0 0.0.255.255 when you dont mind if its 172.16.3 /.4 /.5 .....
I just dont understand how you come up with ones where its digits other than 0 or 255
If thats make sense.
How do you come to 0.0.3.255 or 0.0.0.3
If you have examples of how this is derived i would be much appreciated.
Thanks
Ok lets say you have 172.16.0.0, and you want to create an ACL to deny 192.168.1.0 0.0.0.255 (all ip ranges of the 192.168.1.0 network) from access anything within the 172.16.0.0 - 172.16.3.255 range. Well how would you do that?
You would do the follow
access-list 100 deny tcp 192.168.1. 0.0.0.255 172.16.0.0 0.0.3.255
the 0.0.3.255 gives you up to the range that you want to block. I highly recommend you use a simulator like Cisco Packet Tracker or GNS3 and try this out. It will make more sense. -
Optionssurfthegecko
Member Posts: 149
So if you have the 172.16.3.0 you use a 3.255, so this 3rd octect is just the subnet value
eg 172.16.27.0 would use 0.0.27.255?
I think I will get GNS3 like you said so I can see it in action
Thanks -
Optionssurfthegecko
Member Posts: 149
Doh penny just dropped.
You dont make up the wildcard on the fly, its a result of the network subnet mask/s that you are trying to permit/deny
Eg 192.168.27.0 /28
Would give you networks like:
192.168.27.0
192.168.27.16
192.168.27.32
192.168.27.48
/32 - 255.255.255.255
/28 - 255.255.255.240
- 0. 0. 0. 15
If you wanted to deny any traffic from 192.168.27.0 /28 from getting to 172.16.1.0 you would do:
access-list 101 deny ip 192.168.27.0 0.0.0.15 172.16.1.0 0.0.0.255
int fa 0/1
ip access-group 101 in (inbound because you apply it as close to the source as possible on extended?)
Ta-Dah (I think) -
Optionsmella060
Member Posts: 198 ■■■□□□□□□□
Ok lets say you want to create an ACL to deny traffic from the 192.168.27.0 /28 network. What is the subnet mask for this /28 network ?
/28 = 255.255.255.240...so then what do you get when you subtract that from 255.255.255.255 ?
255.255.255.255 -
255.255.255.240.......you would get 0.0.0.15
What about if you want an ACL to block traffic from say 172.16.0.0 - 172.16.4.0...what subnet mask would you need to do this ?
172.16.0.0 /22...255.255.252.0...that would give you an increment of 4 in the 3rd octet which would block the range...172.16.0.0 - 172.16.3.255
The next subnet would be 172.16.4.0...then 172.16.8.0 and so on
So then a /22 = 255.255.252.0...what would you get if you subtract this from 255.255.255.255 ?
255.255.255.255 -
255.255.252.0.......you would get 0.0.3.255
Remember the value you get whether it be 3 or 15 or whatever is always one less then the increment.
