Options
Is this correct regarding Wildcard Masks?
Cheesewaffle
Member Posts: 20 ■□□□□□□□□□
in CCNA & CCENT
Is this correct regarding Wildcard Masks?
Mainly the last section "Example #2 (Medium)"
Wildcard masks - Internetworkpro
Much Appreciated
Mainly the last section "Example #2 (Medium)"
Wildcard masks - Internetworkpro
Much Appreciated
Comments
-
Optionspeanutnoggin Member Posts: 1,096 ■■■□□□□□□□IMO... the easiest way to determine your wildcard mask is to subtract your subnet mask from all 255s. As an example... if your network is 192.168.1.0 /28 and you want to write an acl for this network... you would subtract 255.255.255.240 from all 255.255.255.255:
255.255.255.255
-255.255.255.240
0 . 0 . 0 . 15 --> this would be your wildcard mask. I couldn't pull up the link... so I hope this helps some!
V/r
~PeanutWe cannot have a superior democracy with an inferior education system!
-Mayor Cory Booker -
Optionslosso Member Posts: 2 ■□□□□□□□□□I think what hes trying to determine is the more advanced option.
is
Access-list 101 permit tcp 10.0.0.0 0.255.255.255 128.15.12.8 64.16.0.3 eq 80
so 65.16.0.3 is it a valid wildcard mask?
I know subnet masks have to be 128,192,224 etc. and follow in order of the bits e.g you cant have 1111111.00001111 as on octets in a subnet mask, is this the inverse case for wilcards? i.e you cannot have 00001111.00011111.00011111.00001111 but you can have 00000000.0000000.00000111.11111111 ?? -
Optionsfly351 Member Posts: 360Given the information we have so far we can come up with the following wildcard mask: 64.16.0.3. When we compare 128.15.12.8 with wildcard mask 64.16.0.3 we see that we can only come up with the 16 networks defined above thus the final ACL would be: Access-list 101 permit tcp 10.0.0.0 0.255.255.255 128.15.12.8 64.16.0.3 eq 80
Unless that is some off the wall CCIE level craziness... than yes it's wrong.CCNP :study: -
OptionsForsaken_GA Member Posts: 4,024Given the information we have so far we can come up with the following wildcard mask: 64.16.0.3. When we compare 128.15.12.8 with wildcard mask 64.16.0.3 we see that we can only come up with the 16 networks defined above thus the final ACL would be: Access-list 101 permit tcp 10.0.0.0 0.255.255.255 128.15.12.8 64.16.0.3 eq 80
Unless that is some off the wall CCIE level craziness... than yes it's wrong.
It's not wrong. Look at the actual example as to what they're trying to accomplish. He wants to ensure that one network can access a very particular number of IP's, and to do it in as few ACL statements as possible. It's a good exercise in binary bit masking -
Optionsfly351 Member Posts: 360Forsaken_GA wrote: »It's not wrong. Look at the actual example as to what they're trying to accomplish. He wants to ensure that one network can access a very particular number of IP's, and to do it in as few ACL statements as possible. It's a good exercise in binary bit masking
I was wrong... I never seen this at the CCNA level... however, I am still studying so maybe I haven't gotten to that part yetCCNP :study: -
Optionsfly351 Member Posts: 360So my instructor had taught me the "subtract 255.255.255.255" method, which is why I never seen/read this before.
I am a little confused though on how the Wildcard Mask on the example 2 works.
To permit access, the 0 bit's must be on, and the 1 bit's do not matter.
Access-list 101 permit tcp 10.0.0.0 0.255.255.255 128.15.12.8 64.16.0.3 eq 80
I think it's wrong.. here is what I broke into binary:
10000000.00001111.00001100.00001000- 128.15.12.8
10000000.00001111.00001100.00001001 - 128.15.12.9
10000000.00001111.00001100.00001010 - 128.15.12.10
10000000.00001111.00001100.00001011 - 128.15.12.11
11000000.00001111.00001100.00001000- 192.15.12.8
11000000.00001111.00001100.00001001 - 192.15.12.9
11000000.00001111.00001100.00001010 - 192.15.12.10
11000000.00001111.00001100.00001011 - 192.15.12.11
10000000.00011111.00001100.00001000- 128.31.12.8
10000000.00011111.00001100.00001001 - 128.31.12.9
10000000.00011111.00001100.00001010 - 128.31.12.10
10000000.00011111.00001100.00001011 - 128.31.12.11
11000000.00011111.00001100.00001000 - 192.31.12.8
11000000.00011111.00001100.00001001 - 192.31.12.9
11000000.00011111.00001100.00001010 - 192.31.12.10
11000000.00011111.00001100.00001011 - 192.31.12.11
01111111.11110000.11110011.11110111 - 127.240.243.247 (my Wildcard mask)
01000000.00010000.00000000.00000011 - 64.16.0.3 (The examples Wildcard mask)
Am I wrong??
CCNP :study: -
OptionsForsaken_GA Member Posts: 4,024Yes, you're wrong.
When wildcard masking, a 0 means the bit must match, and a 1 means it doesnt matter whether it's on or not.
With your wildcard mask, the only requirement is that the first bit must be on. So the first octet of your wildcard mask will match on values from 128 to 255
In the examples wildcard mask, only the bit value for 64 is optional, everything else must match exactly. Since it's being wildcarded against 128, that means that the last bit must be on, and the second to last bit can be on or off, and all the rest of the values must be off. This means the only possible values on that octet are 128 and 192, which is inline with the example.
The flaw in you understanding is that you think the 0 bits must be 'on', that's not the case, they simply have to match the on/off status on the IP that it's being wildcarded against. A 1 means the state of the bit in the original IP is of no consequence. -
OptionsCheesewaffle Member Posts: 20 ■□□□□□□□□□Yea the main query I had is that I was taught the "Wildcard Mask" is an inverted "Subnet Mask".
I always thought... why? What is the point....
So when I came across this website I was quite excited, but then I thought it may be lies/wrong.
Now I think its right but,
1. Is this practical?
2. Is there any other difference between Wildcards and Subnets?
Cheers -
Optionsmikej412 Member Posts: 10,086 ■■■■■■■■■■I never seen this at the CCNA level:mike: Cisco Certifications -- Collect the Entire Set!
-
OptionsForsaken_GA Member Posts: 4,024Cheesewaffle wrote: »So when I came across this website I was quite excited, but then I thought it may be lies/wrong.
Now I think its right but,
1. Is this practical?
2. Is there any other difference between Wildcards and Subnets?
Well, yes it's practical. The alternative solution is to create multiple ACL statements. Doing it on the one line makes the configuration leaner, and lessens processing time, as it doesn't have to go down the line and check until it finds a statement that matches, or gets hit with the implicity deny. The oneline results in one check, either the IP matches the wildcard mask, or it doesn't.
Subnet masks identify ranges of IP's. The reverse subnet mask method is the quick and dirty method, and applicable to alot of situations, but the wildcard masking allows for a bit more flexibility