ACL and Wildcard Masks

I'm having trouble working out the wild card mask for a Access list.

I have a network 172.16.92.10/21 which I want to deny.

I've worked out that the block size is 8 therefore the networks are:
92.0 - 99.255
100.0 - 107.255

The host for the first subnet would be 92.1 - 99.254 as the block size is 8 the wild card mask would be 0.0.7.255.

In Todd books the syntax is access-list deny 172.16.88.0 0.0.7.255.

Where does the 88.0 come from?

I thought it would have been 172.16.92.0 0.0.7.255

Thanks

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

EdTheLad

You start at the beginning of the subnet range,
subnets 0,8,16,24....80,88,96
92 is a host in the 88 subnet

Chris_

172.16.92.10/21 is not a subnet is an address within the subnet 172.16.88.0 which will run up to 172.16.95.255
How is the question phrased in the book?

Chris_

Ed beat me to it!

lon21

Chris_ wrote: »

172.16.92.10/21 is not a subnet is an address within the subnet 172.16.88.0 which will run up to 172.16.95.255
How is the question phrased in the book?

Excellent I get it, thanks

"How do you stop access from a single host IP address 172.16.92.10 from access the WAN connection?"

I guess the is it was a network address then is would end in .0 correct?

networker050184

lon21 wrote: »

Excellent I get it, thanks

"How do you stop access from a single host IP address 172.16.92.10 from access the WAN connection?"

I guess the is it was a network address then is would end in .0 correct?

The network address will not always end in a .0. Just depends on your mask.

If I wanted to deny a single host I'd use a 0.0.0.0 mask personally.

lon21

Thanks,

I have one more question.

I have a router which has three interfaces.

FastEthernet0/0 172.16.30.1
Serial0/0 172.16.20.2
Serial0/1 172.16.40.1

I have a access list which stops telnet from a host PC

deny tcp host 172.16.10.2 host 172.16.20.2 eq telnet (36 match(es))
permit ip any any (83 match(es))

I'm not able to telnet to 20.2 but I can telnet to 40.1 and 30.1.

Would I have to add a separate access list for each ip address on the router or is there a more pro-active method?

Thanks

phobophile

lon21 wrote: »

Thanks,

I have one more question.

I have a router which has three interfaces.

FastEthernet0/0 172.16.30.1
Serial0/0 172.16.20.2
Serial0/1 172.16.40.1

I have a access list which stops telnet from a host PC

deny tcp host 172.16.10.2 host 172.16.20.2 eq telnet (36 match(es))
permit ip any any (83 match(es))

I'm not able to telnet to 20.2 but I can telnet to 40.1 and 30.1.

Would I have to add a separate access list for each ip address on the router or is there a more pro-active method?

Thanks

Well, I suppose I should ask - what is it that you are trying to achieve? Do you want to disable remote access to that router from the host? While you could use multiple ACLs to disable telnet access on each interface, it's much more simple to place the ACL on the vty interface.

(config)#access-list 1 deny host 172.16.10.2
(config)#access-list 1 permit any

(config-line)#access-class 1 in