ICND 2, wildcard question for practice test question

2URGSE2URGSE Member Posts: 220 ■■■□□□□□□□
There are 3 servers in a subnet:

server # 1: 10.10.10.1

server # 2: 10.10.10.2

server # 3: 10.10.10.20


All servers sit behind a router. (R1)

The company would like to allow web connections to server # 3, and has done so with the following access list:

access-list 101 permit tcp any host 10.10.10.20


^^^ I do understand this part, so no problems there.



Next, the company wants to allow only ftp connections to servers 1 and 2.

The following access list is created:

access-list 101 permit tcp 10.10.10.0 0.0.0.3 eq 21

I am trying to understand the process of deriving the correct wildcard in for these types of questions.

I do understand the other parts of the access-list without issues.

The question does not provide the subnet mask these servers are on.

This type of question wants to allow connections to a certain range of IP's, so I would like to understand why this wildcard is used so if I see such question on the test, I know how to tackle it.

Thanks.
A+
Network+
CCENT (formally CCNA certified)
ICE (Imprivata Certified Engineer)

Comments

  • MAC_AddyMAC_Addy Member Posts: 1,740 ■■■■□□□□□□
    It says that all server sit behind Router1. So that is correct.
    2017 Certification Goals:
    CCNP R/S
  • networker050184networker050184 Mod Posts: 11,962 Mod
    You need to break it down into binary to see what bits match.
    An expert is a man who has made all the mistakes which can be made.
  • 2URGSE2URGSE Member Posts: 220 ■■■□□□□□□□
    Honestly, there is not enough time on the test to start messing with binary.

    There should be a way to deal with this in decimal, as I deal with all other subnetting questions. (E.g: find the # of hosts, find the # of subnets, design a network ....etc)
    A+
    Network+
    CCENT (formally CCNA certified)
    ICE (Imprivata Certified Engineer)
  • MAC_AddyMAC_Addy Member Posts: 1,740 ■■■■□□□□□□
    There's plenty of time on the test to go through binary if you know how to do it correctly. But since you aren't quite familiar with it then I suggest to practice as much as you can before the big day.

    The more you practice, the more it'll make sense. The more sense it'll make, the quicker you can answer questions on the test.
    2017 Certification Goals:
    CCNP R/S
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Once you do a few in binary you start getting more comfortable with doing them in your head. Same as with regular subnetting. You just need to write them out and see the why with the 1s and 0s first.

    This one for example we are only concerned with the third octet for the inverse mask.

    .3 = 00000011

    So we know that only the last two bits are variable here. The only matches we have are 00000000 (.0) 00000001 (.1) 00000010 (.2) or 00000011 (.3).

    Now that you know this you will never have to write it down in binary again.
    An expert is a man who has made all the mistakes which can be made.
  • 2URGSE2URGSE Member Posts: 220 ■■■□□□□□□□
    Ok, perhaps I shut down the binary too fast... :D

    So....

    1 = 00000001

    2 = 00000011

    So, are you saying that since the last matching is the 3rd octet, than the wildcard will be 3...........is that all there is to it?

    If so, wow, that was easy.
    A+
    Network+
    CCENT (formally CCNA certified)
    ICE (Imprivata Certified Engineer)
  • DiggsDiggs Member Posts: 97 ■■□□□□□□□□
    Can't you just subtract the mask of the network (255.255.255.252 in this case) from all 255's to get the wildcard mask?

    255.255.255.255 - 255.255.255.252 = 0.0.0.3
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Well you only have to look at the third octet in this one because the rest are all 0s. You just have to go with binary for a while until you get the feel for it.
    An expert is a man who has made all the mistakes which can be made.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Diggs wrote: »
    Can't you just subtract the mask of the network (255.255.255.252 in this case) from all 255's to get the wildcard mask?

    255.255.255.255 - 255.255.255.252 = 0.0.0.3


    In this case yes you can. What if the wild card was 0.255.0.0? Not always that easy.
    An expert is a man who has made all the mistakes which can be made.
  • DiggsDiggs Member Posts: 97 ■■□□□□□□□□
    In this case yes you can. What if the wild card was 0.255.0.0? Not always that easy.

    Fair enough but for CCENT / NA exam purposes I doubt you'll see too many questions with those types of examples.

    Just trying to give the OP and whoever else a quicker (or just another) way to calculate the wildcard masks.

    What would the wildcard mask be for 0.255.0.0? Have never seen that before.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    I think it's best to learn the binary first rather than shortcuts. Get it all figured out and you don't have to worry about relearning it a different way later once you get into more difficult scenarios.
    An expert is a man who has made all the mistakes which can be made.
  • 2URGSE2URGSE Member Posts: 220 ■■■□□□□□□□
    Diggs wrote: »
    Can't you just subtract the mask of the network (255.255.255.252 in this case) from all 255's to get the wildcard mask?

    255.255.255.255 - 255.255.255.252 = 0.0.0.3

    You can, but this particular question did not give a mask.
    A+
    Network+
    CCENT (formally CCNA certified)
    ICE (Imprivata Certified Engineer)
  • 2URGSE2URGSE Member Posts: 220 ■■■□□□□□□□
    Well you only have to look at the third octet in this one because the rest are all 0s. You just have to go with binary for a while until you get the feel for it.

    Right, that's what I meant.

    I think I got it.
    A+
    Network+
    CCENT (formally CCNA certified)
    ICE (Imprivata Certified Engineer)
  • 2URGSE2URGSE Member Posts: 220 ■■■□□□□□□□
    Diggs wrote: »
    Fair enough but for CCENT / NA exam purposes I doubt you'll see too many questions with those types of examples.

    Just trying to give the OP and whoever else a quicker (or just another) way to calculate the wildcard masks.

    What would the wildcard mask be for 0.255.0.0? Have never seen that before.

    I'd rather know how to solve it, who knows what they will throw at me. If that type of question shows up, and all the answers look the same, I'd rather be prepared so I can move to the next question. :)
    A+
    Network+
    CCENT (formally CCNA certified)
    ICE (Imprivata Certified Engineer)
  • 2URGSE2URGSE Member Posts: 220 ■■■□□□□□□□
    I think it's best to learn the binary first rather than shortcuts. Get it all figured out and you don't have to worry about relearning it a different way later once you get into more difficult scenarios.

    I don't dispute that, but I do not use binary that much, only for a select few types of questions, such as this one.

    If you ask me how many subnets and/or how many hosts for a particular address and mask for example, I can do it in my head in about 20 seconds flat without binary.
    A+
    Network+
    CCENT (formally CCNA certified)
    ICE (Imprivata Certified Engineer)
  • ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■■□
    2URGSE wrote: »
    I don't dispute that, but I do not use binary that much, only for a select few types of questions, such as this one.

    If you ask me how many subnets and/or how many hosts for a particular address and mask for example, I can do it in my head in about 20 seconds flat without binary.
    So why is "write an inverse mask that matches the addresses 10.10.10.1 and 10.10.10.2" difficult or confusing? I've only skimmed the thread, but from the first post you seem to think that ACLs have something to do with the subnet masks that the hosts are connected to. They don't. You're basically writing a CUSTOM subnet mask to match an arbitrary set of IP addresses.
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
  • 2URGSE2URGSE Member Posts: 220 ■■■□□□□□□□
    So why is "write an inverse mask that matches the addresses 10.10.10.1 and 10.10.10.2" difficult or confusing? I've only skimmed the thread, but from the first post you seem to think that ACLs have something to do with the subnet masks that the hosts are connected to. They don't. You're basically writing a CUSTOM subnet mask to match an arbitrary set of IP addresses.

    I don't recall my ICND2 book explaining the concept of custom masks. Everyone have different learning styles, it took me a while with ACL.

    I do understand that I can subtract the mask from 255.255.255.255 to get my inverse mask, however, this question, did not have a mask presented in it, and I wanted to fully understand how they arrived at the answer.

    icon_study.gif
    A+
    Network+
    CCENT (formally CCNA certified)
    ICE (Imprivata Certified Engineer)
  • DiggsDiggs Member Posts: 97 ■■□□□□□□□□
    Figure out the smallest subnet mask that will encompass those IP's and figure out the wildcard mask for that network / subnet mask

    10.10.10.0 / 29 gives you 8 IP's (10.10.10.0 - 10.10.10.7) and / 30 gives you 4 (10.10.10.0 - 10.10.10.3)
  • Dan-HumphreysDan-Humphreys Member Posts: 20 ■□□□□□□□□□
    The way I would work this out if I had it in a test would be as following;

    -Look at the address's you want to permit .1 and .2 (I would ignore the first three octets when calculating it as they are the same for both addresses)
    -Now I know I need a mask that permit's 4 bits, which are the two host's in question plus the network address and the broadcast address.
    -To allow 4 bits from a mask you need two binary bits at the end so I've got .252 (Again for this circumstance I just ignore the first 3 octets)
    -To calculate the wildcard mask I just subtract the subnet mask from 255's so the first three will be 0's but I'm still ignoring them as I know this of the top of my head to add in when I put the answer. This however leaves me with .3 for the last octet as 255-252=3 (Even though they way I would do this subtraction would be to take 25(2) from 25(5) 5-2=3, I do this just to simplify everything)

    I don't know if I am explaining myself well but this is how i would work it out.
Sign In or Register to comment.