ACL Wildcard

Hi,

For whatever reason im struggling with the ACL wildcard bits.

Am I right in thinking that if you want to permit traffic to the following subnets:
192.168.3.0 --> 192.168.11.0
That you would use a 0.0.4.255 wildcard

I came to this conclusion by the following

192.168.3.0
0. 0.00000011.0

192.168.11.0
0. 0.00001011.0

Now the only binary digits that they have in common in the 3rd octect are the first 4, hence why I have chosen 4

Im pretty sure this is way off the mark.
If somebody could confirm if this is wrong/right, and maybe link me to any decent knowledge articles on this I would appreciate it.

Thanks
Nick

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

dynamik

You just invert the subnet mask. Subtract each octet from 255. Also, the octet will always be odd (or zero).

surfthegecko

But surely this means if you have the following neworks

192.168.3.0 /24
192.168.4.0 /24
.....
192.168.11.0 /24

They all use the same 255.255.255.0 network, so the wildcard mask would be 0.0.0.255

This would then define any others in the 192.168.x.0 /24 range as well.

If you only want it to do these few, how would you do it?

billscott92787

surfthegecko wrote: »

But surely this means if you have the following neworks

192.168.3.0 /24
192.168.4.0 /24
.....
192.168.11.0 /24

They all use the same 255.255.255.0 network, so the wildcard mask would be 0.0.0.255

This would then define any others in the 192.168.x.0 /24 range as well.

If you only want it to do these few, how would you do it?

Well it all depends, for example:

permit ip any 192.168.11.0 0.0.0.255 would permit any host to reach anything within the 192.168.11.0 subnet 192.168.11.0 - 192.168.11.255

The ACL's very, you can make ACLs that are only for certain ranges like:

192.168.11.0 0.0.0.3, you could do 192.168.11.0 0.0.0.7, Have you been able to access a router CLI from Cisco The best thing you can do is lab this out and get use to how to block certain ranges. It makes it a lot easier to understand.

surfthegecko

Unfortunately not

I understand you use 172.16.3.0 0.0.0.255 when you want to worry about the 172.16.3 network but none of the hosts

or

172.16.0.0 0.0.255.255 when you dont mind if its 172.16.3 /.4 /.5 .....

I just dont understand how you come up with ones where its digits other than 0 or 255

If thats make sense.

How do you come to 0.0.3.255 or 0.0.0.3

If you have examples of how this is derived i would be much appreciated.

Thanks

billscott92787

surfthegecko wrote: »

Unfortunately not

I understand you use 172.16.3.0 0.0.0.255 when you want to worry about the 172.16.3 network but none of the hosts

or

172.16.0.0 0.0.255.255 when you dont mind if its 172.16.3 /.4 /.5 .....

I just dont understand how you come up with ones where its digits other than 0 or 255

If thats make sense.

How do you come to 0.0.3.255 or 0.0.0.3

If you have examples of how this is derived i would be much appreciated.

Thanks

Ok lets say you have 172.16.0.0, and you want to create an ACL to deny 192.168.1.0 0.0.0.255 (all ip ranges of the 192.168.1.0 network) from access anything within the 172.16.0.0 - 172.16.3.255 range. Well how would you do that?

You would do the follow

access-list 100 deny tcp 192.168.1. 0.0.0.255 172.16.0.0 0.0.3.255

the 0.0.3.255 gives you up to the range that you want to block. I highly recommend you use a simulator like Cisco Packet Tracker or GNS3 and try this out. It will make more sense.

surfthegecko

So if you have the 172.16.3.0 you use a 3.255, so this 3rd octect is just the subnet value

eg 172.16.27.0 would use 0.0.27.255?

I think I will get GNS3 like you said so I can see it in action

Thanks

surfthegecko

Doh penny just dropped.

You dont make up the wildcard on the fly, its a result of the network subnet mask/s that you are trying to permit/deny

Eg 192.168.27.0 /28

Would give you networks like:

192.168.27.0
192.168.27.16
192.168.27.32
192.168.27.48

/32 - 255.255.255.255
/28 - 255.255.255.240
- 0. 0. 0. 15

If you wanted to deny any traffic from 192.168.27.0 /28 from getting to 172.16.1.0 you would do:

access-list 101 deny ip 192.168.27.0 0.0.0.15 172.16.1.0 0.0.0.255

int fa 0/1
ip access-group 101 in (inbound because you apply it as close to the source as possible on extended?)

Ta-Dah (I think)

mella060

Ok lets say you want to create an ACL to deny traffic from the 192.168.27.0 /28 network. What is the subnet mask for this /28 network ?

/28 = 255.255.255.240...so then what do you get when you subtract that from 255.255.255.255 ?

255.255.255.255 -
255.255.255.240.......you would get 0.0.0.15

What about if you want an ACL to block traffic from say 172.16.0.0 - 172.16.4.0...what subnet mask would you need to do this ?

172.16.0.0 /22...255.255.252.0...that would give you an increment of 4 in the 3rd octet which would block the range...172.16.0.0 - 172.16.3.255

The next subnet would be 172.16.4.0...then 172.16.8.0 and so on

So then a /22 = 255.255.252.0...what would you get if you subtract this from 255.255.255.255 ?

255.255.255.255 -
255.255.252.0.......you would get 0.0.3.255

Remember the value you get whether it be 3 or 15 or whatever is always one less then the increment.