Options

Is this correct regarding Wildcard Masks?

CheesewaffleCheesewaffle Member Posts: 20 ■□□□□□□□□□
in CCNA & CCENT
Is this correct regarding Wildcard Masks?

Mainly the last section "Example #2 (Medium)"

Wildcard masks - Internetworkpro

Much Appreciated
· Share on FacebookShare on Twitter

Comments

  • Options
    peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    IMO... the easiest way to determine your wildcard mask is to subtract your subnet mask from all 255s. As an example... if your network is 192.168.1.0 /28 and you want to write an acl for this network... you would subtract 255.255.255.240 from all 255.255.255.255:

    255.255.255.255
    -255.255.255.240
    0 . 0 . 0 . 15 --> this would be your wildcard mask. I couldn't pull up the link... so I hope this helps some!

    V/r

    ~Peanut
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
    · Share on FacebookShare on Twitter
  • Options
    lossolosso Member Posts: 2 ■□□□□□□□□□
    I think what hes trying to determine is the more advanced option.

    is

    Access-list 101 permit tcp 10.0.0.0 0.255.255.255 128.15.12.8 64.16.0.3 eq 80

    so 65.16.0.3 is it a valid wildcard mask?

    I know subnet masks have to be 128,192,224 etc. and follow in order of the bits e.g you cant have 1111111.00001111 as on octets in a subnet mask, is this the inverse case for wilcards? i.e you cannot have 00001111.00011111.00011111.00001111 but you can have 00000000.0000000.00000111.11111111 ??
    · Share on FacebookShare on Twitter
  • Options
    fly351fly351 Member Posts: 360
    Given the information we have so far we can come up with the following wildcard mask: 64.16.0.3. When we compare 128.15.12.8 with wildcard mask 64.16.0.3 we see that we can only come up with the 16 networks defined above thus the final ACL would be: Access-list 101 permit tcp 10.0.0.0 0.255.255.255 128.15.12.8 64.16.0.3 eq 80

    Unless that is some off the wall CCIE level craziness... than yes it's wrong.
    CCNP :study:
    · Share on FacebookShare on Twitter
  • Options
    Forsaken_GAForsaken_GA Member Posts: 4,024
    fly351 wrote: »
    Given the information we have so far we can come up with the following wildcard mask: 64.16.0.3. When we compare 128.15.12.8 with wildcard mask 64.16.0.3 we see that we can only come up with the 16 networks defined above thus the final ACL would be: Access-list 101 permit tcp 10.0.0.0 0.255.255.255 128.15.12.8 64.16.0.3 eq 80

    Unless that is some off the wall CCIE level craziness... than yes it's wrong.

    It's not wrong. Look at the actual example as to what they're trying to accomplish. He wants to ensure that one network can access a very particular number of IP's, and to do it in as few ACL statements as possible. It's a good exercise in binary bit masking
    · Share on FacebookShare on Twitter
  • Options
    fly351fly351 Member Posts: 360
    Forsaken_GA wrote: »
    It's not wrong. Look at the actual example as to what they're trying to accomplish. He wants to ensure that one network can access a very particular number of IP's, and to do it in as few ACL statements as possible. It's a good exercise in binary bit masking

    I was wrong... I never seen this at the CCNA level... however, I am still studying so maybe I haven't gotten to that part yet ;)
    CCNP :study:
    · Share on FacebookShare on Twitter
  • Options
    fly351fly351 Member Posts: 360
    So my instructor had taught me the "subtract 255.255.255.255" method, which is why I never seen/read this before.

    I am a little confused though on how the Wildcard Mask on the example 2 works.

    To permit access, the 0 bit's must be on, and the 1 bit's do not matter.
     Access-list 101 permit tcp 10.0.0.0 0.255.255.255 128.15.12.8 64.16.0.3 eq 80

    I think it's wrong.. here is what I broke into binary:




     10000000.00001111.00001100.00001000- 128.15.12.8
    10000000.00001111.00001100.00001001 - 128.15.12.9
    10000000.00001111.00001100.00001010 - 128.15.12.10
    10000000.00001111.00001100.00001011 - 128.15.12.11
    11000000.00001111.00001100.00001000- 192.15.12.8
    11000000.00001111.00001100.00001001 - 192.15.12.9
    11000000.00001111.00001100.00001010 - 192.15.12.10
    11000000.00001111.00001100.00001011 - 192.15.12.11
    10000000.00011111.00001100.00001000- 128.31.12.8
    10000000.00011111.00001100.00001001 - 128.31.12.9
    10000000.00011111.00001100.00001010 - 128.31.12.10
    10000000.00011111.00001100.00001011 - 128.31.12.11
    11000000.00011111.00001100.00001000 - 192.31.12.8
    11000000.00011111.00001100.00001001 - 192.31.12.9
    11000000.00011111.00001100.00001010 - 192.31.12.10
    11000000.00011111.00001100.00001011 - 192.31.12.11
    01111111.11110000.11110011.11110111 - 127.240.243.247 (my Wildcard mask)
    01000000.00010000.00000000.00000011 - 64.16.0.3 (The examples Wildcard mask)



    Am I wrong?? icon_silent.gif
    CCNP :study:
    · Share on FacebookShare on Twitter
  • Options
    Forsaken_GAForsaken_GA Member Posts: 4,024
    Yes, you're wrong.

    When wildcard masking, a 0 means the bit must match, and a 1 means it doesnt matter whether it's on or not.

    With your wildcard mask, the only requirement is that the first bit must be on. So the first octet of your wildcard mask will match on values from 128 to 255

    In the examples wildcard mask, only the bit value for 64 is optional, everything else must match exactly. Since it's being wildcarded against 128, that means that the last bit must be on, and the second to last bit can be on or off, and all the rest of the values must be off. This means the only possible values on that octet are 128 and 192, which is inline with the example.

    The flaw in you understanding is that you think the 0 bits must be 'on', that's not the case, they simply have to match the on/off status on the IP that it's being wildcarded against. A 1 means the state of the bit in the original IP is of no consequence.
    · Share on FacebookShare on Twitter
  • Options
    fly351fly351 Member Posts: 360
    Thanks Forsaken, I get it now.

    icon_cheers.gif
    CCNP :study:
    · Share on FacebookShare on Twitter
  • Options
    CheesewaffleCheesewaffle Member Posts: 20 ■□□□□□□□□□
    Yea the main query I had is that I was taught the "Wildcard Mask" is an inverted "Subnet Mask".

    I always thought... why? What is the point....

    So when I came across this website I was quite excited, but then I thought it may be lies/wrong.

    Now I think its right but,
    1. Is this practical?
    2. Is there any other difference between Wildcards and Subnets?

    Cheers
    · Share on FacebookShare on Twitter
  • Options
    mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    fly351 wrote: »
    I never seen this at the CCNA level
    At the CCNA level they start out simple with "allow only odd numbered host IP Addresses" -- but it depends on what you used to study.
    :mike: Cisco Certifications -- Collect the Entire Set!
    · Share on FacebookShare on Twitter
  • Options
    Forsaken_GAForsaken_GA Member Posts: 4,024
    Cheesewaffle wrote: »
    So when I came across this website I was quite excited, but then I thought it may be lies/wrong.

    Now I think its right but,
    1. Is this practical?
    2. Is there any other difference between Wildcards and Subnets?

    Well, yes it's practical. The alternative solution is to create multiple ACL statements. Doing it on the one line makes the configuration leaner, and lessens processing time, as it doesn't have to go down the line and check until it finds a statement that matches, or gets hit with the implicity deny. The oneline results in one check, either the IP matches the wildcard mask, or it doesn't.

    Subnet masks identify ranges of IP's. The reverse subnet mask method is the quick and dirty method, and applicable to alot of situations, but the wildcard masking allows for a bit more flexibility
    · Share on FacebookShare on Twitter
Sign In or Register to comment.