Wildcarding stumperoo

I got a network

192.168.1.0 /29

RangeofHosts[.1-.6]

I only want .5 and .6 to be permitted

I go:

acc 1 permit 192.168.1.4 0.0.0.2

but no luck! What's the right ip add and wildcard that is correct for enabling this

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

MAC_Addy

Just to two ACL's of 192.168.1.4 0.0.0.0 and 192.168.1.5 0.0.0.0

The wildcard indicates that you want to use the full IP address.

Quick question, what learning method are you using?

YFZblu

The correct wildcard declaration for two valid hosts is 0.0.0.3

Edit: After looking at your post further, I see that your increment is 8:

192.168.1.0
.8
.16

I'm not sure how the ACL's would function if you declare a network that doesn't technically exist on the network, or how that would affect everything else. I suppose it's possible that the ACL's don't even pay attention to which networks exist, and if you declare 192.168.1.4/30 it might work just fine. I don't have time to lab that out for you.

Forsaken_GA

You can't match 5 and 6 with a single ACL statement, the binary doesn't work.

00000101 = 5
00000110 = 6

So you have two bits of difference, which means you can wildcard off 6 bits.

192.168.1.5 0.0.0.3 would match .4, .5, .6, and .7. So if you want to only allow .5. and .6, you need two ACL statements with masks of 0.0.0.0, forcing all bits to match.

Now, if you were only trying to allow .4 and .5, then 192.168.1.4 0.0.0.1 would match both, since there's only one bit of difference between them.

YFZblu

@Forsaken - Thanks for the clarification

mguy

Forsaken_GA wrote: »

You can't match 5 and 6 with a single ACL statement, the binary doesn't work.

00000101 = 5
00000110 = 6

So you have two bits of difference, which means you can wildcard off 6 bits.

192.168.1.5 0.0.0.3 would match .4, .5, .6, and .7. So if you want to only allow .5. and .6, you need two ACL statements with masks of 0.0.0.0, forcing all bits to match.

Now, if you were only trying to allow .4 and .5, then 192.168.1.4 0.0.0.1 would match both, since there's only one bit of difference between them.

Thanks.

Wow I need to get the maths right, maybe after CCNA.

mguy

Forsaken_GA wrote: »

You can't match 5 and 6 with a single ACL statement, the binary doesn't work.

00000101 = 5
00000110 = 6

So you have two bits of difference, which means you can wildcard off 6 bits.

192.168.1.5 0.0.0.3 would match .4, .5, .6, and .7. So if you want to only allow .5. and .6, you need two ACL statements with masks of 0.0.0.0, forcing all bits to match.

Now, if you were only trying to allow .4 and .5, then 192.168.1.4 0.0.0.1 would match both, since there's only one bit of difference between them.

Is that 5 right? I thought wildcard increments numbers upwards. 0 with wildcard 3 is 0,1,2,3

networker050184

mguy wrote: »

Thanks.

Wow I need to get the maths right, maybe after CCNA.

You should probably get them right before CCNA! Will make the exam and IP addressing easier in general.

Somnipotent

Use the formula for subnetting with dotted decimal notation to find your wildcard value. However, instead of using 256 - x, where x is your mask value, use 255 instead. This will yield you 1 less than your increment, and the value for your wild card. For example:

255.255.255.248 (/29) would give us 256-248 = 8-2, 6 valid hosts, 2 for net/broadcast.
If I only want 6 hosts to be included/excluded, I would use 255-248=7, where 7 would be my wildcard value.
If I wanted to go more granular with my mask, say I want to include only TWO hosts, then my formula would be 255-252 = 3.

So that leaves us with the following numbers that are valid wildcard values:

255, 127, 63, 31, 15, 7, 3, 1, 0

Think of them as one less the increment:

255, 128, 64, 32, 16, 8, 4, 2, 0

Does that make any sense or does that confuse you?

drkat

If you only need two hosts permitted we can simply use the host keyword in your acl

I guess I should add more here

If you have 192.168.1.0/29

So like you said we have hosts 192.168.1.1 - 192.168.1.6 available for assignment, we only want to permit traffic from the two hosts 192.168.1.5 and 192.168.1.6

We can do this by just permitting the host only using the host keyword, or using 0.0.0.0 wild card mask in 2 statements

the available wildcard masks wont help because they include a range of addresses. You'll need to specify the hosts - but I would design your denys first and then your permit(s) rather than your permits and then denys
0.0.0.1 -- nope
0.0.0.3 -- nope
0.0.0.7 -- nope

spd3432

@drkat -
Why design the denies first?
access-list 1 permit host 192.168.1.5
access-list 1 permit host 192.168.1.6
access-list 1 deny any
Three statements any only allows those two hosts.

Zartanasaurus

mguy wrote: »

Is that 5 right? I thought wildcard increments numbers upwards. 0 with wildcard 3 is 0,1,2,3

Yes it's right. The network portion in the beginning has to start at the network address for that mask.
So just to flip this around, look at 192.168.1.4 255.255.255.252.
If I asked "what's the network address, broadcast address and usable IPs from this range", you'd come back with 192.168.1.4, 192.168.1.7 and 192.168.1.5 - 192.168.1.6. The inverse mask of 255.255.255.252 is 0.0.0.3. You're combining a starting network address with the mask. It doesn't start at 192.168.1.5 it starts at 192.168.1.4. Sure, you can type in permit 192.168.1.5 0.0.0.3 but once you do a show ip access-lists command you'll see it got interpreted properly.

drkat

spd - great question

we'll really want to take a look at what we want to keep out of our network, I'm not so concerned on permits. We can clearly define what we want to not allow people to do then what we want them to do.

For instance say we get a requirement from a customer for:

I need access to my sql server allowed by everyone in accounting and the sales department, EXCEPT Bill who works in both departments in title only and he doesnt need access.

Well if I'm permitting everything and then my deny my ACL is huge!

so if we just deny Bill, we can use a blanket permit for the rest

Now there may be time where it is the other way around, but generally we can approach it from a deny/allow view

This example we need to allow in the middle of the range, so we can permit first.