I need help with ACL

rodrigo081089 · December 2012

I´m doing the exercises from Wendell Odom ICND2 book, at the chapter 7 the question 6 says:

Which of the following access-list commands matches all packets in the range of addresses in subnet 172.16.5.0/25?

a. access-list 1 permit 172.16.0.5 0.0.255.0

b. access-list 1 permit 172.16.4.0 0.0.1.255

c. access-list 1 permit 172.16.5.0

d. access-list 1 permit 172.16.5.0 0.0.0.128

The right answer for me is the "d", but in the book says the right answer is the "b"

Did I it bad, or is the book is wrong?

Thanks

Roguetadhg · December 2012

b.

d: 0.0.0.128 = 172.16.5.0 & 172.16.5.128 only. It's not a range.
b. 0.0.1.255 = 172.16.4.0 - 172.16.5.255

The given range asks for all packets within 5.0 /25= Subnet Mask: 255.255.255.128. IP range which is found with the Subnet Mask means: 172.16.5.0 - 172.16.5.127

172.16.5.0 = 0000 0101.0|000 0000
255.255.255.128 = 1111 1111.1|000 0000. Meaning that the numbers within the mask can't change.

rodrigo081089 · December 2012

Thank you, so when they ask me questions like that, i can´t get the wc changing the bits in binary right?

Because i put the mask in binary:

11111111 11111111 11111111 10000000

and then i´ve change the bits

00000000 00000000 00000000 011111111

MAC_Addy · December 2012

This is an explanation in the answers section as to why it's B. The reason being is that you want an access list in the subnet range.

rodrigo081089 · December 2012

So if i use access-list 1 permit 172.16.4.0 0.0.1.255 is the same if i want use access-list 1 permit 172.16.5.0 0.0.0.127 ?

MAC_Addy · December 2012

No.

0.0.1.255 will block 172.16.4.0 - 172.16.5.255 (subnet range).

0.0.0.127 will block 172.16.5.0 - 172.16.5.127

rodrigo081089 · December 2012

Of course, i explain me bad, i mean 0.0.0.127 is a good wildcard for the subnet 172.16.5.0/25 right? even better than 0.0.1.255

Roguetadhg · December 2012

What is the non-CIDR version of "/25"? That's the subnet mask.
Using the normal IPv4 bit, write out the number of bits, in each octet that /25 represents.

To find the wild-card mask, you just exchange all the 0's and 1's in a subnet mask.
- Simply: 1) If it was a 0; It becomes 1. 2) If it was a 1; it becomes a 0.

Another way: If it's /25. Subtract that from /32 (Which is the CIDR notation for all 1's for an IPv4 address.). You'll get the number of bits that are going to be the WildCard Mask... Right to Left. 32-25 = 7 = /7

Non-CIDR is: 1111 1111.1111 1111.1111 1111.1000 0000
Wild Card Mask:0000 0000.0000 0000.0000 0000.0111 1111

Makes 0.0.0.127 the wildcard mask.

rodrigo081089 · December 2012

Thanks both of you, now I understand this well

Danielh22185 · December 2012

I have always just thought of the wildcard masks as just 1 minus the subnet you are trying to match. So if you are trying to match a /25 which is 128 address, subtract 1 and that gives you 127 for your wildcard. I find sometimes explaining the binary conversion makes it a bit more confusing.

NewInBussines · December 2012

the corect answer is b

I need help with ACL

Comments