Wildcarding stumperoo
mguy
Member Posts: 167 ■■■□□□□□□□
in CCNA & CCENT
I got a network
192.168.1.0 /29
RangeofHosts[.1-.6]
I only want .5 and .6 to be permitted
I go:
acc 1 permit 192.168.1.4 0.0.0.2
but no luck! What's the right ip add and wildcard that is correct for enabling this :
192.168.1.0 /29
RangeofHosts[.1-.6]
I only want .5 and .6 to be permitted
I go:
acc 1 permit 192.168.1.4 0.0.0.2
but no luck! What's the right ip add and wildcard that is correct for enabling this :
Comments
-
MAC_Addy Member Posts: 1,740 ■■■■□□□□□□Just to two ACL's of 192.168.1.4 0.0.0.0 and 192.168.1.5 0.0.0.0
The wildcard indicates that you want to use the full IP address.
Quick question, what learning method are you using?2017 Certification Goals:
CCNP R/S -
YFZblu Member Posts: 1,462 ■■■■■■■■□□The correct wildcard declaration for two valid hosts is 0.0.0.3
Edit: After looking at your post further, I see that your increment is 8:
192.168.1.0
.8
.16
I'm not sure how the ACL's would function if you declare a network that doesn't technically exist on the network, or how that would affect everything else. I suppose it's possible that the ACL's don't even pay attention to which networks exist, and if you declare 192.168.1.4/30 it might work just fine. I don't have time to lab that out for you. -
Forsaken_GA Member Posts: 4,024You can't match 5 and 6 with a single ACL statement, the binary doesn't work.
00000101 = 5
00000110 = 6
So you have two bits of difference, which means you can wildcard off 6 bits.
192.168.1.5 0.0.0.3 would match .4, .5, .6, and .7. So if you want to only allow .5. and .6, you need two ACL statements with masks of 0.0.0.0, forcing all bits to match.
Now, if you were only trying to allow .4 and .5, then 192.168.1.4 0.0.0.1 would match both, since there's only one bit of difference between them. -
mguy Member Posts: 167 ■■■□□□□□□□Forsaken_GA wrote: »You can't match 5 and 6 with a single ACL statement, the binary doesn't work.
00000101 = 5
00000110 = 6
So you have two bits of difference, which means you can wildcard off 6 bits.
192.168.1.5 0.0.0.3 would match .4, .5, .6, and .7. So if you want to only allow .5. and .6, you need two ACL statements with masks of 0.0.0.0, forcing all bits to match.
Now, if you were only trying to allow .4 and .5, then 192.168.1.4 0.0.0.1 would match both, since there's only one bit of difference between them.
Thanks.
Wow I need to get the maths right, maybe after CCNA. -
mguy Member Posts: 167 ■■■□□□□□□□Forsaken_GA wrote: »You can't match 5 and 6 with a single ACL statement, the binary doesn't work.
00000101 = 5
00000110 = 6
So you have two bits of difference, which means you can wildcard off 6 bits.
192.168.1.5 0.0.0.3 would match .4, .5, .6, and .7. So if you want to only allow .5. and .6, you need two ACL statements with masks of 0.0.0.0, forcing all bits to match.
Now, if you were only trying to allow .4 and .5, then 192.168.1.4 0.0.0.1 would match both, since there's only one bit of difference between them.
Is that 5 right? I thought wildcard increments numbers upwards. 0 with wildcard 3 is 0,1,2,3 -
networker050184 Mod Posts: 11,962 ModThanks.
Wow I need to get the maths right, maybe after CCNA.
You should probably get them right before CCNA! Will make the exam and IP addressing easier in general.An expert is a man who has made all the mistakes which can be made. -
Somnipotent Member Posts: 384Use the formula for subnetting with dotted decimal notation to find your wildcard value. However, instead of using 256 - x, where x is your mask value, use 255 instead. This will yield you 1 less than your increment, and the value for your wild card. For example:
255.255.255.248 (/29) would give us 256-248 = 8-2, 6 valid hosts, 2 for net/broadcast.
If I only want 6 hosts to be included/excluded, I would use 255-248=7, where 7 would be my wildcard value.
If I wanted to go more granular with my mask, say I want to include only TWO hosts, then my formula would be 255-252 = 3.
So that leaves us with the following numbers that are valid wildcard values:
255, 127, 63, 31, 15, 7, 3, 1, 0
Think of them as one less the increment:
255, 128, 64, 32, 16, 8, 4, 2, 0
Does that make any sense or does that confuse you?Reading: Internetworking with TCP/IP: Principles, Protocols, and Architecture (D. Comer) -
drkat Banned Posts: 703If you only need two hosts permitted we can simply use the host keyword in your acl
I guess I should add more here
If you have 192.168.1.0/29
So like you said we have hosts 192.168.1.1 - 192.168.1.6 available for assignment, we only want to permit traffic from the two hosts 192.168.1.5 and 192.168.1.6
We can do this by just permitting the host only using the host keyword, or using 0.0.0.0 wild card mask in 2 statements
the available wildcard masks wont help because they include a range of addresses. You'll need to specify the hosts - but I would design your denys first and then your permit(s) rather than your permits and then denys
0.0.0.1 -- nope
0.0.0.3 -- nope
0.0.0.7 -- nope -
Zartanasaurus Member Posts: 2,008 ■■■■■■■■■□Is that 5 right? I thought wildcard increments numbers upwards. 0 with wildcard 3 is 0,1,2,3
So just to flip this around, look at 192.168.1.4 255.255.255.252.
If I asked "what's the network address, broadcast address and usable IPs from this range", you'd come back with 192.168.1.4, 192.168.1.7 and 192.168.1.5 - 192.168.1.6. The inverse mask of 255.255.255.252 is 0.0.0.3. You're combining a starting network address with the mask. It doesn't start at 192.168.1.5 it starts at 192.168.1.4. Sure, you can type in permit 192.168.1.5 0.0.0.3 but once you do a show ip access-lists command you'll see it got interpreted properly.Currently reading:
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8% -
drkat Banned Posts: 703spd - great question
we'll really want to take a look at what we want to keep out of our network, I'm not so concerned on permits. We can clearly define what we want to not allow people to do then what we want them to do.
For instance say we get a requirement from a customer for:
I need access to my sql server allowed by everyone in accounting and the sales department, EXCEPT Bill who works in both departments in title only and he doesnt need access.
Well if I'm permitting everything and then my deny my ACL is huge!
so if we just deny Bill, we can use a blanket permit for the rest
Now there may be time where it is the other way around, but generally we can approach it from a deny/allow view
This example we need to allow in the middle of the range, so we can permit first.