Access List Weird Wildcard Mask

So, I've been studying for the CCNA exam and am taking it at the end of the week. I have a question on a practice exam that's just killing me and I'm not sure if I'm solving it right. The question shows up as a drag & drop, where you move an access list statement on to an IP address.

I understand how to use access lists for example when the wildcard mask is 0.0.0.15. That indicates the mask ends in .240. (255-15 = 240). But these questions are weird like this:

access-list 5 deny 127.26.192.0 0.0.31.254 What the heck is this? Does it mean 255.255.240.1 ? Is that even possible?! I am missing something and am not sure what. Any ideas, help, or suggestions out there?

Thanks!

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Webmaster

Did you read the part about wildcards/reverse masks at www.techexams.net/technotes/ccna/accesslists.shtml ?

mwgood

access-list 5 deny 127.26.192.0 0.0.31.254 does not mean 255.255.240.1.

First, I don't know why the last octet is .254 - it would normally be indicated with a .255, meaning that anything goes in that octet. The .31 in the 3rd octet indicates a block size of 32, which means that anything between 127.26.192.x and 127.26.223.x would be denied.

tech77

Ok, thanks for the link. I think I understand it now. Maybe they're trying to specify a range of IP addresses to block with the mask. Could that be it?

tech77

mwgood,

First, I don't know why the last octet is .254 - it would normally be indicated with a .255, meaning that anything goes in that octet.

Thanks for the assist! I think I understand it now. The .254 may be a typo.

[/quote]The .31 in the 3rd octet indicates a block size of 32, which means that anything between 127.26.192.x and 127.26.223.x would be denied.

Yes! yes!!! 223-192 = 31. Ah ha! But how are you determining the block size based on .31? I have a number line that matches up like this:
128/128, 192/64, 224/32, 240/16 etc. so is it because 224 is pared with 32? What's the method here? This is getting interesting!

mwgood

tech77 wrote:

Yes! yes!!! 223-192 = 31. Ah ha! But how are you determining the block size based on .31? I have a number line that matches up like this:
128/128, 192/64, 224/32, 240/16 etc. so is it because 224 is pared with 32? What's the method here? This is getting interesting!

Simply: Since zero is the first number, just take the wild card and add one to get your block size. Pairing with a subnet is an extra [unneeded] step.

So... [for Wildcards]

.7 = 8
.15 = 16
.31 = 32
.63 = 64
.127 = 128

etc.

Webmaster

Yeah, all the most right bits must be 1, hence if bits from the third octet of a wildcard mask are 1, the fourth octet can only be all ones (1) i.o.w. can only be 255.

That may sound more complicated then it is, but it actually makes things easier, cause it means there is only a very limited amount of 'valid' wild card/reverse masks. The best thing to do to try and understand it is writing it our in binary and decimal notation. Some valid examples are ie.:

00000000.00000000.00000000.00001111 = 0.0.0.15
00000000.00000000.00000000.00011111 = 0.0.0.31
00000000.00000000.00000000.11111111 = 0.0.0.255
00000000.00000000.00001111.11111111 = 0.0.15.255

The following are examples of addresses that cannot be valid reverse masks because in binary they don't end with a continues block of 1's:

11111111.00000000.00000000.11111111 = 255.0.0.255
00000000.00000000.00011111.11111110 = 0.0.31.254

tech77

Thanks to the Webmaster for this! Contiguious 1s! Very important!!!

The following are examples of addresses that cannot be valid reverse masks because in binary they don't end with a continues block of 1's:

11111111.00000000.00000000.11111111 = 255.0.0.255
00000000.00000000.00011111.11111110 = 0.0.31.254

I now think the question I am trying to answer is a trick question. Part of the directions indicate 'not all options are used.' So the mask 0.0.31.254 may not be a typo. It may be just a trick to get you to waste time on a meaningless answer!! Cisco is turning me into a gibbering idiot.

Then based on the methods mwgood showed me if I have an ACL with 172.16.128.0 0.0.31.255 then the range here is:

172.26.128.0

to

172.26.159.0

and I think the real subnet mask is 255.255.224.0 if they're following class rules for natural masks.

Webmaster

00000000.00000000.00011111.11111110 = 0.0.31.254 (inverse)
11111111.11111111.11100000.00000000 = 255.255.224.0 (normal)

Note that the same goes for 'normal' subnet masks, they start with a contigious block of 1s, leaving us with only the following possible subnet masks:

Decimal	Binary
255.0.0.0	/8
255.128.0.0	/9
255.192.0.0	/10
255.224.0.0	/11
255.240.0.0	/12
255.248.0.0	/13
255.252.0.0	/14
255.254.0.0	/15
255.255.0.0	/16
255.255.128.0	/17
255.255.192.0	/18
255.255.224.0	/19
255.255.240.0	/20
255.255.248.0	/21
255.255.252.0	/22
255.255.254.0	/23
255.255.255.0	/24
255.255.255.128	/25
255.255.255.192	/26
255.255.255.224	/27
255.255.255.240	/28
255.255.255.248	/29
255.255.255.252	/30
255.255.255.254	/31
255.255.255.255	/32

dmaftei

tech77 wrote:

access-list 5 deny 127.26.192.0 0.0.31.254 What the heck is this?

The wildcard is valid. It's binary representation is:

00000000.00000000.00011111.11111110

What that means is that for an address to match, it must match 127.26.192.0 in the first 19 bits and the last bit. So the addresses that will match are the addresses in the 127.26.192.0/224 block and end with an even number (since the last bit of 127.26.192.0 is 0, and all even numbers written in binary end in 0). So these will match:
127.26.192.0
127.26.192.2
127.26.192.4 <-- there was a typo here...
etc.

while these will not match:
127.26.192.1
127.26.192.3
127.26.192.5
etc.

That being said, note that wildcards are not reversed masks; they're simply a sequence of 32 bits. It's true that most of the time they look like a reversed mask, because admins normally want to filter on subnets. However that's not a requirement. Therefore things like 85.85.85.85 (0101...) or 1.1.1.1 are perfectly valid wildcards. Why would anybody use that kind of wildcards is a different matter...

Webmaster

You're absolutely right. A wildcard mask is not the same as a reverse mask, and I should not have used these terms to denote the same thing.

The access-list command's parameter is a wild card mask not a reverse mask. However, as you mentioned, one would typically use reverse mask. As you can read in the first quote, even cisco assumes it...

cisco wrote:

Note: Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has 1s in bit positions to ignore, and 0s in bit positions to match. For example, entering 0.0.0.0 matches the specified address; entering 255.255.255.255 matches all addresses.

In the extensive explanation they are very clear about it though:

Cisco also wrote:

Each wildcard bit 0 indicates the corresponding bit position in the source. Each wildcard bit set to 1 indicates that both a 0 bit and a 1 bit in the corresponding position of the IP address of the packet will be considered a match to this access list entry.

There are three alternative ways to specify the source wildcard:

•Use a 32-bit quantity in four-part dotted decimal format. Place 1s in the bit positions you want to ignore.

•Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

•Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

Wildcard bits set to 1 need not be contiguous in the source wildcard. For example, a source wildcard of 0.255.0.64 would be valid.

I'm sorry if I added to the confusion...

Note that for the CCNA exam (as well as CCNP) the wildcard mask is always a reverse mask, i.o.w. ends with a contiguous block of 1s. Though this may very well be different for other, security related, exams such as for PIX and IDS exams.

Thanks dmaftei

tech77

Hey guys!

dmaftei wrote:

The wildcard is valid. It's binary representation is:

00000000.00000000.00011111.11111110

What that means is that for an address to match, it must match 127.26.192.0 in the first 19 bits and the last bit. So the addresses that will match are the addresses in the 127.26.192.0/224 block and end with an even number (since the last bit of 127.26.192.0 is 0, and all even numbers written in binary end in 0). So these will match:
127.26.192.0
127.26.192.2
127.26.192.3
etc.

Wait, now I'm confused again. You indicate the last address will end with an even number but 127.26.192.3 is not even. Is this a typo or what am I missing? 3 in binary is 11 so in an octet it would be 00000011.

Shouldn't the range go
127.26.192.0
127.26.192.2 then .4 , .6 , .8 and so on? Any help is greatly appreciated

dmaftei

tech77 wrote:

Hey guys!
Wait, now I'm confused again. You indicate the last address will end with an even number but 127.26.192.3 is not even. Is this a typo or what am I missing? 3 in binary is 11 so in an octet it would be 00000011.

Shouldn't the range go
127.26.192.0
127.26.192.2 then .4 , .6 , .8 and so on? Any help is greatly appreciated

That was a typo in my post (I'll fix it shortly). Matching addresses go 127.26.192.0, .2, .4, .6 and so on.

The webmaster is probably right in saying that you'll see only "sane" wildcards on CCNA exams. However, as you discovered in your practice question, you should be aware that sometimes wildcards can be... well, "wild"

dmaftei

Webmaster wrote:

Thanks

Welcome.

mwgood

It's not a typo after all!

I thought the .254 might be significant. Good catch, dmaftei - and an excellent explanation.