What do you think the Answer to this is and Why ?

KMAN24KMAN24 Member Posts: 44 ■■□□□□□□□□
An administrator on a Cisco router wants to use one access list statement to permit a range of IP subnets. The IP subnets are 10.0.4.0/24 through 10.0.7.0/24. Which address and wildcard mask should the administrator use?
(Choose the 1 best answer)
A. 10.0.4.0 0.0.3.255
B. 10.0.4.0 0.0.4.255
C. 10.0.7.0 0.0.255.255
D. 10.0.7.0 0.0.31.255

Comments

  • xetrevxetrev Member Posts: 59 ■■□□□□□□□□
    a) is my guess
  • xwesleyxwillisxxwesleyxwillisx Member Posts: 158
    The answer is A...

    10.0.4.0 is where you want to start...

    and the wildcard mask is 0.0.3.255... difficult to explain but I will try...

    written in binary form it reads: 00000000.00000000.00000011.11111111

    each 0 bit means that bit must match in the source IP address of the packet... and each 1 bit means the bit can be on or off...

    so when the router reads: 10.0.4.1 (an example)... it sees this:
    00001010.00000000.00000100.00000001

    and compares it to this:

    00001010.00000000.00000100.00000000

    based on this "filter" so to speak:

    00000000.00000000.00000011.11111111

    Since this packet (10.0.4.1) is from a source on one of the subnets to be permitted... the packet's source address should match the criteria right?...

    Let's see...

    10.0.4.1 00001010.00000000.00000100.00000001 (packet)

    0.0.3.255 00000000.00000000.00000011.11111111 (wildcard)

    10.0.4.0 00001010.00000000.00000100.00000000 (subnet)

    As you can see... the first 22 bits of the packet match... which is what the wildcard mask required (bolded)... this means the packet would be permitted... This is why A is the correct answer... you can try any IP in the range from 10.0.4.0/24 - 10.0.7.0/24 and it will be permitted...

    The process I used is called ANDing... and is how the router processes packets...

    Hope that helps!
  • fuseboxfusebox Member Posts: 87 ■■□□□□□□□□
    I also agree on (a)

    With wildcard masking as done here, you have to remember blocksizes for access-lists. Block sizes can be 4,8,16, 32, and 64.

    Seeing the IP range is from 10.0.4.0/24 to 10.0.7.0/24, the range here is 4 subnet blocks. So the command would be (a)

    ie:

    10.0.4.0 0.0.3.255.

    Answers (B) and (C) are invalid because they are not one of the block sizes listed above. (D) is valid but its just too large.

    Had the question asked for ip range from 10.0.4.0 to 10.0.9.0 The block size we would need to use would be 8, thus the command would be,

    10.0.4.0 0.0.7.255
    Im a newbie.... please be easy on me.
  • xetrevxetrev Member Posts: 59 ■■□□□□□□□□
    Had the question asked for ip range from 10.0.4.0 to 10.0.9.0 The block size we would need to use would be 8, thus the command would be,

    10.0.4.0 0.0.7.255


    wouldnt that be 5 blocks? 9-4 = 5 so 10.0.4.0 0.0.5.255
  • tunerXtunerX Member Posts: 447 ■■■□□□□□□□
    Here is the math that Cisco uses in all of its IOS and CatOS releases.

    First you do a logical AND to get the start of the range.
    0000 0101 | 0000 0000 | 0000 0100 | 0000 0000 = 10.0.4.0
    0000 0101 | 0000 0000 | 0000 0111 | 1111 1111 = 10.0.7.255
    0000 0101 | 0000 0000 | 0000 0100 | 0000 0000 = 10.0.4.0

    Then you do a logical XOR to get the inverse mask.
    0000 0101 | 0000 0000 | 0000 0100 | 0000 0000 = 10.0.4.0
    0000 0101 | 0000 0000 | 0000 0111 | 1111 1111 = 10.0.7.255
    0000 0000 | 0000 0000 | 0000 0011 | 1111 1111 = 0.0.3.255

    10.0.4.0 0.0.3.255.
  • rossonieri#1rossonieri#1 Member Posts: 799 ■■■□□□□□□□
    10.0.7.0/24 - 10.0.4.0/24 = 0.0.3.255 ( A )
    the More I know, that is more and More I dont know.
  • tunerXtunerX Member Posts: 447 ■■■□□□□□□□
    10.0.7.0/24 - 10.0.4.0/24 = 0.0.3.255 ( A )

    Doing it that way can get you the correct answer some of the time. And for the CCNA it may work for every question on the test. It does not work for every range and will not get you through the CCDP/CCNP/CCIE R&S written.

    What is the inverse mask for the range

    10.0.4.0 - 10.0.9.255.

    or

    10.6.1.0 - 10.10.128.255
  • rossonieri#1rossonieri#1 Member Posts: 799 ■■■□□□□□□□
    10.0.4.0 = 0000 1010 | 0000 0000 | 0000 0100 | 0000 0000
    10.0.9.255 = 0000 1010 | 0000 0000 | 0000 1001 | 1111 1111 XOR
    0000 0000 | 0000 0000 | 0000 1101 | 1111 1111 = 0.0.13.255 ??

    10.6.1.0 = 0000 1010 | 0000 0110 | 0000 0001 | 0000 0000
    10.10.128.255 = 0000 1010 | 0000 1010 | 1000 0000 | 1111 1111 XOR
    0.12.129.255 ??

    what is this ?? is it correct??
    the More I know, that is more and More I dont know.
  • tunerXtunerX Member Posts: 447 ■■■□□□□□□□
    Logical AND gets the start of the range
    0000 1010 | 0000 0000 | 0000 0100 | 0000 0000 10.0.4.0
    0000 1010 | 0000 0000 | 0000 1001 | 1111 1111 10.0.9.255
    0000 1010 | 0000 0000 | 0000 0000 | 0000 0000 10.0.0.0

    Logical XOR gets the inverse mask
    0000 1010 | 0000 0000 | 0000 0000 | 0000 0000 10.0.0.0
    0000 1010 | 0000 0000 | 0000 1001 | 1111 1111 10.0.9.255
    0000 0000 | 0000 0000 | 0000 1001 | 1111 1111 0.0.9.255

    10.0.0.0 0.0.9.255

    According to the AND only the network 10.0.0.0 will satisfy the 10.0.4.0 and 10.0.9.255 range. With this start we get the inverse mask.

    AND - You will only get a 1 if all input bits are 1
    1+1=1
    1+0=0
    0+1=0
    0+0=0

    XOR - You will only get a 1 if the input bits are not the same.
    1+1=0
    0+1=1
    1+0=1
    0+0=0

    If you are using this for an access-list and onlly want to match the above listed addresses then you need two statements in your access list.

    access-list 1 deny 10.0.0.0 0.0.3.255
    access-list 1 permit 10.0.0.0 0.0.9.255
Sign In or Register to comment.