Wildcarding stumperoo

mguymguy Member Posts: 167 ■■■□□□□□□□
in CCNA & CCENT
I got a network

192.168.1.0 /29

RangeofHosts[.1-.6]

I only want .5 and .6 to be permitted

I go:

acc 1 permit 192.168.1.4 0.0.0.2

but no luck! What's the right ip add and wildcard that is correct for enabling this icon_confused.gif:
· Share on FacebookShare on Twitter

Comments

  • MAC_AddyMAC_Addy Member Posts: 1,740 ■■■■□□□□□□
    Just to two ACL's of 192.168.1.4 0.0.0.0 and 192.168.1.5 0.0.0.0

    The wildcard indicates that you want to use the full IP address.

    Quick question, what learning method are you using?
    2017 Certification Goals:
    CCNP R/S
    · Share on FacebookShare on Twitter
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    The correct wildcard declaration for two valid hosts is 0.0.0.3

    Edit: After looking at your post further, I see that your increment is 8:

    192.168.1.0
    .8
    .16

    I'm not sure how the ACL's would function if you declare a network that doesn't technically exist on the network, or how that would affect everything else. I suppose it's possible that the ACL's don't even pay attention to which networks exist, and if you declare 192.168.1.4/30 it might work just fine. I don't have time to lab that out for you.
    · Share on FacebookShare on Twitter
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    You can't match 5 and 6 with a single ACL statement, the binary doesn't work.

    00000101 = 5
    00000110 = 6

    So you have two bits of difference, which means you can wildcard off 6 bits.

    192.168.1.5 0.0.0.3 would match .4, .5, .6, and .7. So if you want to only allow .5. and .6, you need two ACL statements with masks of 0.0.0.0, forcing all bits to match.

    Now, if you were only trying to allow .4 and .5, then 192.168.1.4 0.0.0.1 would match both, since there's only one bit of difference between them.
    · Share on FacebookShare on Twitter
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    @Forsaken - Thanks for the clarification
    · Share on FacebookShare on Twitter
  • mguymguy Member Posts: 167 ■■■□□□□□□□
    Forsaken_GA wrote: »
    You can't match 5 and 6 with a single ACL statement, the binary doesn't work.

    00000101 = 5
    00000110 = 6

    So you have two bits of difference, which means you can wildcard off 6 bits.

    192.168.1.5 0.0.0.3 would match .4, .5, .6, and .7. So if you want to only allow .5. and .6, you need two ACL statements with masks of 0.0.0.0, forcing all bits to match.

    Now, if you were only trying to allow .4 and .5, then 192.168.1.4 0.0.0.1 would match both, since there's only one bit of difference between them.

    Thanks.

    Wow I need to get the maths right, maybe after CCNA.
    · Share on FacebookShare on Twitter
  • mguymguy Member Posts: 167 ■■■□□□□□□□
    Forsaken_GA wrote: »
    You can't match 5 and 6 with a single ACL statement, the binary doesn't work.

    00000101 = 5
    00000110 = 6

    So you have two bits of difference, which means you can wildcard off 6 bits.

    192.168.1.5 0.0.0.3 would match .4, .5, .6, and .7. So if you want to only allow .5. and .6, you need two ACL statements with masks of 0.0.0.0, forcing all bits to match.

    Now, if you were only trying to allow .4 and .5, then 192.168.1.4 0.0.0.1 would match both, since there's only one bit of difference between them.

    Is that 5 right? I thought wildcard increments numbers upwards. 0 with wildcard 3 is 0,1,2,3
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Mod Posts: 11,962 Mod
    mguy wrote: »
    Thanks.

    Wow I need to get the maths right, maybe after CCNA.


    You should probably get them right before CCNA! Will make the exam and IP addressing easier in general.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • SomnipotentSomnipotent Member Posts: 384
    Use the formula for subnetting with dotted decimal notation to find your wildcard value. However, instead of using 256 - x, where x is your mask value, use 255 instead. This will yield you 1 less than your increment, and the value for your wild card. For example:

    255.255.255.248 (/29) would give us 256-248 = 8-2, 6 valid hosts, 2 for net/broadcast.
    If I only want 6 hosts to be included/excluded, I would use 255-248=7, where 7 would be my wildcard value.
    If I wanted to go more granular with my mask, say I want to include only TWO hosts, then my formula would be 255-252 = 3.

    So that leaves us with the following numbers that are valid wildcard values:

    255, 127, 63, 31, 15, 7, 3, 1, 0

    Think of them as one less the increment:

    255, 128, 64, 32, 16, 8, 4, 2, 0

    Does that make any sense or does that confuse you?
    Reading: Internetworking with TCP/IP: Principles, Protocols, and Architecture (D. Comer)
    · Share on FacebookShare on Twitter
  • drkatdrkat Banned Posts: 703
    If you only need two hosts permitted we can simply use the host keyword in your acl

    I guess I should add more here

    If you have 192.168.1.0/29

    So like you said we have hosts 192.168.1.1 - 192.168.1.6 available for assignment, we only want to permit traffic from the two hosts 192.168.1.5 and 192.168.1.6

    We can do this by just permitting the host only using the host keyword, or using 0.0.0.0 wild card mask in 2 statements

    the available wildcard masks wont help because they include a range of addresses. You'll need to specify the hosts - but I would design your denys first and then your permit(s) rather than your permits and then denys
    0.0.0.1 -- nope
    0.0.0.3 -- nope
    0.0.0.7 -- nope
    · Share on FacebookShare on Twitter
  • spd3432spd3432 Member Posts: 224
    @drkat -
    Why design the denies first?
    access-list 1 permit host 192.168.1.5
    access-list 1 permit host 192.168.1.6
    access-list 1 deny any
    Three statements any only allows those two hosts.
    ----CCNP goal----
    Route [ ] Studying
    Switch [ ] Next
    Tshoot [ ] Eventually
    · Share on FacebookShare on Twitter
  • ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■■□
    mguy wrote: »
    Is that 5 right? I thought wildcard increments numbers upwards. 0 with wildcard 3 is 0,1,2,3
    Yes it's right. The network portion in the beginning has to start at the network address for that mask.
    So just to flip this around, look at 192.168.1.4 255.255.255.252.
    If I asked "what's the network address, broadcast address and usable IPs from this range", you'd come back with 192.168.1.4, 192.168.1.7 and 192.168.1.5 - 192.168.1.6. The inverse mask of 255.255.255.252 is 0.0.0.3. You're combining a starting network address with the mask. It doesn't start at 192.168.1.5 it starts at 192.168.1.4. Sure, you can type in permit 192.168.1.5 0.0.0.3 but once you do a show ip access-lists command you'll see it got interpreted properly.
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
    · Share on FacebookShare on Twitter
  • drkatdrkat Banned Posts: 703
    spd - great question

    we'll really want to take a look at what we want to keep out of our network, I'm not so concerned on permits. We can clearly define what we want to not allow people to do then what we want them to do.

    For instance say we get a requirement from a customer for:

    I need access to my sql server allowed by everyone in accounting and the sales department, EXCEPT Bill who works in both departments in title only and he doesnt need access.

    Well if I'm permitting everything and then my deny my ACL is huge!

    so if we just deny Bill, we can use a blanket permit for the rest

    Now there may be time where it is the other way around, but generally we can approach it from a deny/allow view

    This example we need to allow in the middle of the range, so we can permit first.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.