ACL and Wildcard Masks
lon21
Member Posts: 201
in CCNA & CCENT
I'm having trouble working out the wild card mask for a Access list.
I have a network 172.16.92.10/21 which I want to deny.
I've worked out that the block size is 8 therefore the networks are:
92.0 - 99.255
100.0 - 107.255
The host for the first subnet would be 92.1 - 99.254 as the block size is 8 the wild card mask would be 0.0.7.255.
In Todd books the syntax is access-list deny 172.16.88.0 0.0.7.255.
Where does the 88.0 come from?
I thought it would have been 172.16.92.0 0.0.7.255
Thanks
I have a network 172.16.92.10/21 which I want to deny.
I've worked out that the block size is 8 therefore the networks are:
92.0 - 99.255
100.0 - 107.255
The host for the first subnet would be 92.1 - 99.254 as the block size is 8 the wild card mask would be 0.0.7.255.
In Todd books the syntax is access-list deny 172.16.88.0 0.0.7.255.
Where does the 88.0 come from?
I thought it would have been 172.16.92.0 0.0.7.255
Thanks
Comments
-
EdTheLad
Member Posts: 2,111 ■■■■□□□□□□
You start at the beginning of the subnet range,
subnets 0,8,16,24....80,88,96
92 is a host in the 88 subnetNetworking, sometimes i love it, mostly i hate it.Its all about the $$$$ -
Chris_
Member Posts: 326
172.16.92.10/21 is not a subnet is an address within the subnet 172.16.88.0 which will run up to 172.16.95.255
How is the question phrased in the book?Going all out for Voice. Don't worry Data; I'll never forget you
:study: CVoice [X] CIPT 1 [ ] CIPT 2 [ ] CAPPS [ ] TVOICE [ ] -
Chris_
Member Posts: 326
Ed beat me to it!Going all out for Voice. Don't worry Data; I'll never forget you
:study: CVoice [X] CIPT 1 [ ] CIPT 2 [ ] CAPPS [ ] TVOICE [ ] -
lon21
Member Posts: 201
172.16.92.10/21 is not a subnet is an address within the subnet 172.16.88.0 which will run up to 172.16.95.255
How is the question phrased in the book?
Excellent I get it, thanks
"How do you stop access from a single host IP address 172.16.92.10 from access the WAN connection?"
I guess the is it was a network address then is would end in .0 correct? -
networker050184
Mod Posts: 11,962 Mod
Excellent I get it, thanks
"How do you stop access from a single host IP address 172.16.92.10 from access the WAN connection?"
I guess the is it was a network address then is would end in .0 correct?
The network address will not always end in a .0. Just depends on your mask.
If I wanted to deny a single host I'd use a 0.0.0.0 mask personally.An expert is a man who has made all the mistakes which can be made. -
lon21
Member Posts: 201
Thanks,
I have one more question.
I have a router which has three interfaces.
FastEthernet0/0 172.16.30.1
Serial0/0 172.16.20.2
Serial0/1 172.16.40.1
I have a access list which stops telnet from a host PC
deny tcp host 172.16.10.2 host 172.16.20.2 eq telnet (36 match(es))
permit ip any any (83 match(es))
I'm not able to telnet to 20.2 but I can telnet to 40.1 and 30.1.
Would I have to add a separate access list for each ip address on the router or is there a more pro-active method?
Thanks -
phobophile
Member Posts: 34 ■■□□□□□□□□
Thanks,
I have one more question.
I have a router which has three interfaces.
FastEthernet0/0 172.16.30.1
Serial0/0 172.16.20.2
Serial0/1 172.16.40.1
I have a access list which stops telnet from a host PC
deny tcp host 172.16.10.2 host 172.16.20.2 eq telnet (36 match(es))
permit ip any any (83 match(es))
I'm not able to telnet to 20.2 but I can telnet to 40.1 and 30.1.
Would I have to add a separate access list for each ip address on the router or is there a more pro-active method?
Thanks
Well, I suppose I should ask - what is it that you are trying to achieve? Do you want to disable remote access to that router from the host? While you could use multiple ACLs to disable telnet access on each interface, it's much more simple to place the ACL on the vty interface.(config)#access-list 1 deny host 172.16.10.2 (config)#access-list 1 permit any (config-line)#access-class 1 in