range hosts in ACL using wildcard mask

To find the wildcard mask for a range, you take the higher minus the lower:
192.168.2.70
-192.168.2.10

0.0.0.60

access-list 1 permit 192.168.2.10 0.0.0.60

It's been a while for me, so hopefully a more able Cisco person can confirm this.

Sorry, but that ain't gonna work like you think it will.

forbesl wrote:

Sorry, but that ain't gonna work like you think it will.

Then please enlighten me!

You won't be able to permit only that range of IP addresses because in doing so you're trying to cross a subnet mask boundary.

unwritt3n

sprkymrk wrote:

To find the wildcard mask for a range, you take the higher minus the lower:
192.168.2.70
-192.168.2.10
0.0.0.60

access-list 1 permit 192.168.2.10 0.0.0.60

It's been a while for me, so hopefully a more able Cisco person can confirm this.

Im pretty sure thats corrent... ACLs is not a strong area for me, but Ive done it like that in a practice test and got it right.

forbesl wrote:

You won't be able to permit only that range of IP addresses because in doing so you're trying to cross a subnet mask boundary.

Okay, but what is the correct way? You still haven't told us.

EdTheLad

sprkymrk wrote:

forbesl wrote:

You won't be able to permit only that range of IP addresses because in doing so you're trying to cross a subnet mask boundary.

Okay, but what is the correct way? :

You would need 192.168.2.0 0.0.0.127

10 = 00001010
70 = 01000110

The 1 at the left signifies the wildcard so for a range of addresses you need to include the 1 and all bits to the right of the one.

BubbaJ

ed_the_lad wrote:

You would need 192.168.2.0 0.0.0.127

10 = 00001010
70 = 01001100

The 1 at the left signifies the wildcard so for a range of addresses you need to include the 1 and all bits to the right of the one.

That would include the entire range of 192.168.2.1 to 192.168.2.127, which may or may not be a bad thing. If an exact match is needed, it will take several statements.

Of course that would work, however that would permit more than the range he specified to begin with. That wildcard would permit hosts 1 - 126, and not just 10 through 70 as in the question. You're not gonna get a single wildcard mask that will permit (or block) only that range of IP addresses.

sprkymrk:

Do this on a real router:

access-list 1 permit 192.168.2.10 0.0.0.60

Then do this:

sh ip access-list 1

See what it tells you....you'll understand what I'm talking about.

ed_the_lad wrote:

sprkymrk wrote:

forbesl wrote:

You won't be able to permit only that range of IP addresses because in doing so you're trying to cross a subnet mask boundary.

Okay, but what is the correct way? :

You would need 192.168.2.0 0.0.0.127

10 = 00001010
70 = 01001100

The 1 at the left signifies the wildcard so for a range of addresses you need to include the 1 and all bits to the right of the one.

I think that includes more than the 61 hosts in his example of 192.168.2.10-70. I think your example allows access to half the 192.168.10.2 subnet, or about 128 hosts, doesn't it?

Hmmm. I think that each non-zero value must be one less than a power of 2 in order to avoid crossing valid subnets, so real close (easy but not exact) wildcard mask would be:

access-list 1 permit 192.168.2.10 0.0.0.63

Does that seem right?
Doggone wildcard masks...

ed_the_lad wrote:

You would need 192.168.2.0 0.0.0.127

10 = 00001010
70 = 01001100

The 1 at the left signifies the wildcard so for a range of addresses you need to include the 1 and all bits to the right of the one.

does this also mean ip's x.x.2.1 to x.x.2. 128 are affected ?.

could you explain more ?. i understand wildcard masks are counted from right to left, unlike subnet masks and supports un-usual masks like
binary 11000101 = 00111010 wildcard.

EdTheLad

I was only giving you an example since you didnt remember the masks.
If i was feeling energic i could have given an exact match.

This is my solution i am not sure if this is right, please correct me if i am wrong :
1. deny host 0 - 7
2. deny host 8 and 9
3. permit host 0 - 63
4. permit host 64 - 71
5. deny host 71

wildcard mask
1. access list deny 192.168.2.0 0.0.0.7
2.access list deny 192.168.2.0 0.0.0.9
3.access list permit 192.168.2.0 0.0.0.63
4.access list permit 192.168.2.0 0.0.0.71
5.access list deny 192.168.2.71 0.0.0.0

i couldn't find 1 wildcard mask that could permit a range of host 10 - 70. so i think u need five access lists to make that happen. please correct me if i am wrong. as i really want to know if any better solution. Thanks

ed_the_lad wrote:

....i could have given an exact match.

no need for that, this wildcard is making me nuts

. so i need to clear everything before i move to the next chapter.

edit:
and yes, this is for lab practice.

i don't think u can use 1 wildcard mask to specify that range of host in the network. as my solution u need more than 1 wild card mask..

if u are working on a lab now, u can use my solution... i am confident that will work on the router to allow only host range between 10 -70. but i hope if any1 could give me a better solution...

BubbaJ

brAun wrote:

This is my solution i am not sure if this is right, please correct me if i am wrong :
1. deny host 0 - 7
2. deny host 8 and 9
3. permit host 0 - 63
4. permit host 64 - 71
5. deny host 71

wildcard mask
1. access list deny 192.168.2.0 0.0.0.7
2.access list deny 192.168.2.0 0.0.0.9
3.access list permit 192.168.2.0 0.0.0.63
4.access list permit 192.168.2.0 0.0.0.71
5.access list deny 192.168.2.71 0.0.0.0

i couldn't find 1 wildcard mask that could permit a range of host 10 - 70. so i think u need five access lists to make that happen. please correct me if i am wrong. as i really want to know if any better solution. Thanks

This is almost right. The line 2 subnet and wildcard mask are wrong; it needs to be 192.168.2.8 0.0.0.1 to exclude the .8 and .9 addresses. Line 4 needs to be 192.168.64 0.0.0.7 to include .64 to .71. Line 5 needs to be before line 4.

It might be easier to deny all the ranges needed, then permit the enite Class C range.

yup, u are right, but i think line 2 is correct, u can use either my line 2 or deny 192.168.2.8 0.0.0.1. and thank for ur correction....

btw i don't think we will have this type of question in the exam

Thanks brAun and BubbaJ. That makes perfect sense.

sry, i just figure out, ur solution for line 2 is more correct to deny host 8 and 9.
the line 2 that i use was denying 0,1,8 and 9.
thanks for that i have learn something

u are welcome, sprkymrk
i am learning something from this question too

BubbaJ

brAun wrote:

but i think line 2 is correct, u can use either my line 2 or deny 192.168.2.8 0.0.0.1.

No. Look at 9 in binary 1001. There are 2 "don't care" bits. That means it has 4 (2^2) don't care addresses (.0,.1,.8,.9), but you only wnat 2 don't care addresses (.8 and .9) per your logic. Although the other 2 addresses are taken care of by the previous statement, this is a poor practice that can bite you in the butt. Each statement should be as exact as possible. Technically it will work, but I'm willing to bet that it would be counted wrong on a Cisco exam.

I still think it would be better to deny all the ranges you don't want in the Class C network, then permit the entire Class C address range.

yup, that's would be more exactly on host 8 and 9. and its good to know we can count the bits we ignore to know how many host that we deny or permit (2 ^ 2 = 4host).

that's really great,i am learning 1 more thing in here hehehe

thanks BubbaJ

sprkymrk wrote:

Okay, but what is the correct way? You still haven't told us.
:

Oh....you wanted me to give you the answer?

Since you're a CCNA, I just figured you'd be able to do that for yourself.

Yeah, 9 months Cisco Academy and a 1 week boot camp - then all I use are a few dozen Cisco 2950 switches for the past 3 years. I have mentioned many times in the last few weeks of posts that my CCNA expires in November but I probably won't renew it until early next year.

Also, I don't think ACL's (and especially wild card masks) are much more than glossed over or mentioned "in passing" for CCNA.

Anyway, it's been a good refresher. And I did say

sprkymrk wrote:

It's been a while for me, so hopefully a more able Cisco person can confirm this.

I always cover my butt....

Thanks guys.

i really need to know how this wildcard thing work. it seems really confusing.

wildcard bits. 0= exact match, 1=any/ignore
00000000.00000000.00000000.00100000 mean all, except the 27th bit must match

for eg. default wildcard mask of 192.168.0.0 /24 is 0.0.0.255

but if i use blocksize 64 (binary x.x.x.00111111 1+2+4+8+16+32 = 63) with ip's configured using default mask /24

deny 192.168.0.0 0.0.0.63, and permit any, does it mean, it will deny hosts 192.168.0.192 onwards (bin x.x.x.11000000 is exact match) and only allow hosts x.x.x.1 to 191 ?.

if wrong, please explain with binary examples.

EdTheLad

macwhizard wrote:

Thanks guys.

i really need to know how this wildcard thing work. it seems really confusing.

wildcard bits. 0= exact match, 1=any/ignore
00000000.00000000.00000000.00100000 mean all, except the 27th bit must match

for eg. default wildcard mask of 192.168.0.0 /24 is 0.0.0.255

but if i use blocksize 64 (binary x.x.x.00111111 1+2+4+8+16+32 = 63) with ip's configured using default mask /24

deny 192.168.0.0 0.0.0.63, and permit any, does it mean, it will deny hosts 192.168.0.192 onwards (bin x.x.x.11000000 is exact match) and only allow hosts x.x.x.1 to 191 ?.

if wrong, please explain with binary examples.

The 1's in the wildcard masks are wildcards meaning anything in this bit location is acceptable.0 means an absolute match.
If you have deny 192.168.0.0 0.0.0.63
the 63 = 00111111 therefore anything in the last 6 digits will be denied.
it will deny a range 0-63
if you did deny 192.168.0.0 0.0.1.0, the 1 = 00000001 therefore you would deny addresses 192.168.0.x and 192.168.1.x
permit any means allow all, remember an access list is read sequentually which means once a match is found it exits the list.If you put permit any at the start it wouldnt matter want comes next all is allowed.

ed_the_lad wrote:

If you put permit any at the start it wouldnt matter want comes next all is allowed.

And of course the implicit deny any at the end of the ACL means if you have an ACL with a single deny statement but no allow, nothing at all gets through.