ICND 2, wildcard question for practice test question

2URGSE

There are 3 servers in a subnet:

server # 1: 10.10.10.1

server # 2: 10.10.10.2

server # 3: 10.10.10.20

All servers sit behind a router. (R1)

The company would like to allow web connections to server # 3, and has done so with the following access list:

access-list 101 permit tcp any host 10.10.10.20

^^^ I do understand this part, so no problems there.



Next, the company wants to allow only ftp connections to servers 1 and 2.

The following access list is created:

access-list 101 permit tcp 10.10.10.0 0.0.0.3 eq 21

I am trying to understand the process of deriving the correct wildcard in for these types of questions.

I do understand the other parts of the access-list without issues.

The question does not provide the subnet mask these servers are on.

This type of question wants to allow connections to a certain range of IP's, so I would like to understand why this wildcard is used so if I see such question on the test, I know how to tackle it.

Thanks.

MAC_Addy

It says that all server sit behind Router1. So that is correct.

networker050184

You need to break it down into binary to see what bits match.

2URGSE

Honestly, there is not enough time on the test to start messing with binary.

There should be a way to deal with this in decimal, as I deal with all other subnetting questions. (E.g: find the # of hosts, find the # of subnets, design a network ....etc)

MAC_Addy

There's plenty of time on the test to go through binary if you know how to do it correctly. But since you aren't quite familiar with it then I suggest to practice as much as you can before the big day.

The more you practice, the more it'll make sense. The more sense it'll make, the quicker you can answer questions on the test.

networker050184

Once you do a few in binary you start getting more comfortable with doing them in your head. Same as with regular subnetting. You just need to write them out and see the why with the 1s and 0s first.

This one for example we are only concerned with the third octet for the inverse mask.

.3 = 00000011

So we know that only the last two bits are variable here. The only matches we have are 00000000 (.0) 00000001 (.1) 00000010 (.2) or 00000011 (.3).

Now that you know this you will never have to write it down in binary again.

2URGSE

Ok, perhaps I shut down the binary too fast...

So....

1 = 00000001

2 = 00000011

So, are you saying that since the last matching is the 3rd octet, than the wildcard will be 3...........is that all there is to it?

If so, wow, that was easy.

Diggs

Can't you just subtract the mask of the network (255.255.255.252 in this case) from all 255's to get the wildcard mask?

255.255.255.255 - 255.255.255.252 = 0.0.0.3

networker050184

Well you only have to look at the third octet in this one because the rest are all 0s. You just have to go with binary for a while until you get the feel for it.

networker050184

Diggs wrote: »

Can't you just subtract the mask of the network (255.255.255.252 in this case) from all 255's to get the wildcard mask?

255.255.255.255 - 255.255.255.252 = 0.0.0.3

In this case yes you can. What if the wild card was 0.255.0.0? Not always that easy.

Diggs

networker050184 wrote: »

In this case yes you can. What if the wild card was 0.255.0.0? Not always that easy.

Fair enough but for CCENT / NA exam purposes I doubt you'll see too many questions with those types of examples.

Just trying to give the OP and whoever else a quicker (or just another) way to calculate the wildcard masks.

What would the wildcard mask be for 0.255.0.0? Have never seen that before.

networker050184

I think it's best to learn the binary first rather than shortcuts. Get it all figured out and you don't have to worry about relearning it a different way later once you get into more difficult scenarios.

2URGSE

Diggs wrote: »

Can't you just subtract the mask of the network (255.255.255.252 in this case) from all 255's to get the wildcard mask?

255.255.255.255 - 255.255.255.252 = 0.0.0.3

You can, but this particular question did not give a mask.

2URGSE

networker050184 wrote: »

Well you only have to look at the third octet in this one because the rest are all 0s. You just have to go with binary for a while until you get the feel for it.

Right, that's what I meant.

I think I got it.

2URGSE

Diggs wrote: »

Fair enough but for CCENT / NA exam purposes I doubt you'll see too many questions with those types of examples.

Just trying to give the OP and whoever else a quicker (or just another) way to calculate the wildcard masks.

What would the wildcard mask be for 0.255.0.0? Have never seen that before.

I'd rather know how to solve it, who knows what they will throw at me. If that type of question shows up, and all the answers look the same, I'd rather be prepared so I can move to the next question.

2URGSE

networker050184 wrote: »

I think it's best to learn the binary first rather than shortcuts. Get it all figured out and you don't have to worry about relearning it a different way later once you get into more difficult scenarios.

I don't dispute that, but I do not use binary that much, only for a select few types of questions, such as this one.

If you ask me how many subnets and/or how many hosts for a particular address and mask for example, I can do it in my head in about 20 seconds flat without binary.

Zartanasaurus

2URGSE wrote: »

I don't dispute that, but I do not use binary that much, only for a select few types of questions, such as this one.

If you ask me how many subnets and/or how many hosts for a particular address and mask for example, I can do it in my head in about 20 seconds flat without binary.

So why is "write an inverse mask that matches the addresses 10.10.10.1 and 10.10.10.2" difficult or confusing? I've only skimmed the thread, but from the first post you seem to think that ACLs have something to do with the subnet masks that the hosts are connected to. They don't. You're basically writing a CUSTOM subnet mask to match an arbitrary set of IP addresses.

2URGSE

Zartanasaurus wrote: »

So why is "write an inverse mask that matches the addresses 10.10.10.1 and 10.10.10.2" difficult or confusing? I've only skimmed the thread, but from the first post you seem to think that ACLs have something to do with the subnet masks that the hosts are connected to. They don't. You're basically writing a CUSTOM subnet mask to match an arbitrary set of IP addresses.

I don't recall my ICND2 book explaining the concept of custom masks. Everyone have different learning styles, it took me a while with ACL.

I do understand that I can subtract the mask from 255.255.255.255 to get my inverse mask, however, this question, did not have a mask presented in it, and I wanted to fully understand how they arrived at the answer.

Diggs

Figure out the smallest subnet mask that will encompass those IP's and figure out the wildcard mask for that network / subnet mask

10.10.10.0 / 29 gives you 8 IP's (10.10.10.0 - 10.10.10.7) and / 30 gives you 4 (10.10.10.0 - 10.10.10.3)

Dan-Humphreys

The way I would work this out if I had it in a test would be as following;

-Look at the address's you want to permit .1 and .2 (I would ignore the first three octets when calculating it as they are the same for both addresses)
-Now I know I need a mask that permit's 4 bits, which are the two host's in question plus the network address and the broadcast address.
-To allow 4 bits from a mask you need two binary bits at the end so I've got .252 (Again for this circumstance I just ignore the first 3 octets)
-To calculate the wildcard mask I just subtract the subnet mask from 255's so the first three will be 0's but I'm still ignoring them as I know this of the top of my head to add in when I put the answer. This however leaves me with .3 for the last octet as 255-252=3 (Even though they way I would do this subtraction would be to take 25(2) from 25(5) 5-2=3, I do this just to simplify everything)

I don't know if I am explaining myself well but this is how i would work it out.