What do you think the Answer to this is and Why ?

An administrator on a Cisco router wants to use one access list statement to permit a range of IP subnets. The IP subnets are 10.0.4.0/24 through 10.0.7.0/24. Which address and wildcard mask should the administrator use?
(Choose the 1 best answer)
A. 10.0.4.0 0.0.3.255
B. 10.0.4.0 0.0.4.255
C. 10.0.7.0 0.0.255.255
D. 10.0.7.0 0.0.31.255

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

xetrev

a) is my guess

xwesleyxwillisx

The answer is A...

10.0.4.0 is where you want to start...

and the wildcard mask is 0.0.3.255... difficult to explain but I will try...

written in binary form it reads: 00000000.00000000.00000011.11111111

each 0 bit means that bit must match in the source IP address of the packet... and each 1 bit means the bit can be on or off...

so when the router reads: 10.0.4.1 (an example)... it sees this:
00001010.00000000.00000100.00000001

and compares it to this:

00001010.00000000.00000100.00000000

based on this "filter" so to speak:

00000000.00000000.00000011.11111111

Since this packet (10.0.4.1) is from a source on one of the subnets to be permitted... the packet's source address should match the criteria right?...

Let's see...

10.0.4.1 00001010.00000000.00000100.00000001 (packet)

0.0.3.255 00000000.00000000.00000011.11111111 (wildcard)

10.0.4.0 00001010.00000000.00000100.00000000 (subnet)

As you can see... the first 22 bits of the packet match... which is what the wildcard mask required (bolded)... this means the packet would be permitted... This is why A is the correct answer... you can try any IP in the range from 10.0.4.0/24 - 10.0.7.0/24 and it will be permitted...

The process I used is called ANDing... and is how the router processes packets...

Hope that helps!

fusebox

I also agree on (a)

With wildcard masking as done here, you have to remember blocksizes for access-lists. Block sizes can be 4,8,16, 32, and 64.

Seeing the IP range is from 10.0.4.0/24 to 10.0.7.0/24, the range here is 4 subnet blocks. So the command would be (a)

ie:

10.0.4.0 0.0.3.255.

Answers (B) and (C) are invalid because they are not one of the block sizes listed above. (D) is valid but its just too large.

Had the question asked for ip range from 10.0.4.0 to 10.0.9.0 The block size we would need to use would be 8, thus the command would be,

10.0.4.0 0.0.7.255

xetrev

Had the question asked for ip range from 10.0.4.0 to 10.0.9.0 The block size we would need to use would be 8, thus the command would be,

10.0.4.0 0.0.7.255

wouldnt that be 5 blocks? 9-4 = 5 so 10.0.4.0 0.0.5.255

tunerX

Here is the math that Cisco uses in all of its IOS and CatOS releases.

First you do a logical AND to get the start of the range.
0000 0101 | 0000 0000 | 0000 0100 | 0000 0000 = 10.0.4.0
0000 0101 | 0000 0000 | 0000 0111 | 1111 1111 = 10.0.7.255
0000 0101 | 0000 0000 | 0000 0100 | 0000 0000 = 10.0.4.0

Then you do a logical XOR to get the inverse mask.
0000 0101 | 0000 0000 | 0000 0100 | 0000 0000 = 10.0.4.0
0000 0101 | 0000 0000 | 0000 0111 | 1111 1111 = 10.0.7.255
0000 0000 | 0000 0000 | 0000 0011 | 1111 1111 = 0.0.3.255

10.0.4.0 0.0.3.255.

rossonieri#1

10.0.7.0/24 - 10.0.4.0/24 = 0.0.3.255 ( A )

tunerX

rossonieri#1 wrote:

10.0.7.0/24 - 10.0.4.0/24 = 0.0.3.255 ( A )

Doing it that way can get you the correct answer some of the time. And for the CCNA it may work for every question on the test. It does not work for every range and will not get you through the CCDP/CCNP/CCIE R&S written.

What is the inverse mask for the range

10.0.4.0 - 10.0.9.255.

or

10.6.1.0 - 10.10.128.255

rossonieri#1

10.0.4.0 = 0000 1010 | 0000 0000 | 0000 0100 | 0000 0000
10.0.9.255 = 0000 1010 | 0000 0000 | 0000 1001 | 1111 1111 XOR
0000 0000 | 0000 0000 | 0000 1101 | 1111 1111 = 0.0.13.255 ??

10.6.1.0 = 0000 1010 | 0000 0110 | 0000 0001 | 0000 0000
10.10.128.255 = 0000 1010 | 0000 1010 | 1000 0000 | 1111 1111 XOR
0.12.129.255 ??

what is this ?? is it correct??

tunerX

Logical AND gets the start of the range
0000 1010 | 0000 0000 | 0000 0100 | 0000 0000 10.0.4.0
0000 1010 | 0000 0000 | 0000 1001 | 1111 1111 10.0.9.255
0000 1010 | 0000 0000 | 0000 0000 | 0000 0000 10.0.0.0

Logical XOR gets the inverse mask
0000 1010 | 0000 0000 | 0000 0000 | 0000 0000 10.0.0.0
0000 1010 | 0000 0000 | 0000 1001 | 1111 1111 10.0.9.255
0000 0000 | 0000 0000 | 0000 1001 | 1111 1111 0.0.9.255

10.0.0.0 0.0.9.255

According to the AND only the network 10.0.0.0 will satisfy the 10.0.4.0 and 10.0.9.255 range. With this start we get the inverse mask.

AND - You will only get a 1 if all input bits are 1
1+1=1
1+0=0
0+1=0
0+0=0

XOR - You will only get a 1 if the input bits are not the same.
1+1=0
0+1=1
1+0=1
0+0=0

If you are using this for an access-list and onlly want to match the above listed addresses then you need two statements in your access list.

access-list 1 deny 10.0.0.0 0.0.3.255
access-list 1 permit 10.0.0.0 0.0.9.255