cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2367
Views
6
Helpful
8
Replies

Network permissions in ACL.

Hello community

Newbie question: I would like to read a further explanation for the following

What single access list statement matches all of the following networks?

192.168.16.0
192.168.17.0
192.168.18.0
192.168.19.0

A - access-list 10 permit 192.168.16.0 0.0.3.255
B - access-list 10 permit 192.168.16.0 0.0.0.255
C - access-list 10 permit 192.168.16.0 0.0.15.255
D - access-list 10 permit 192.168.0.0 0.0.15.255

Explanation: The ACL statement access-list 10 permit 192.168.16.0 0.0.3.255 will match all four network prefixes. All four prefixes have the same 22 high order bits. (??) These 22 high order bits are matched by the network prefix and wildcard mask of 192.168.16.0 0.0.3.255.

Wouldn't it be option C?

I understood that number 15 on 0.0.15.255 would include the all IP's starting from that number forward, but I am now sure what to think now. The only thing I can think of is to take that 3 and add it to the all IP's starting from 16 so that all IP's starting 192.168.20.0 would not be included on the list. 


Daniel
1 Accepted Solution

Accepted Solutions

M02@rt37
VIP
VIP

Hello @Daniel Céspedes,

to go further, access-list 10 permit 192.168.16.0 0.0.3.255 -- In this statement, the network address is 192.168.16.0, and the wildcard mask is 0.0.3.255. The wildcard mask is used to specify which bits in the IP address should be matched. In a wildcard mask, 0 bits mean "must match exactly," and 1 bits mean "don't care" or "match any."

So, let's analyze this wildcard mask 0.0.3.255:

In binary, 0.0.3.255 is 00000000.00000000.00000011.11111111.
In this mask, the last 8 bits are all 1s, which means "don't care" for the last 8 bits of the IP address.


Now, let's see how this mask matches the given networks:

192.168.16.0: This network's binary representation is 11000000.10101000.0001 0000 .00000000.

The last 8 bits don't matter, so it matches.

192.168.17.0: This network's binary representation is 11000000.10101000.0001 0001 .00000000.

The last 8 bits don't matter, so it matches.

192.168.18.0: This network's binary representation is 11000000.10101000.0001 0010 .00000000.

The last 8 bits don't matter, so it matches.

192.168.19.0: This network's binary representation is 11000000.10101000.0001 0011 .00000000.

The last 8 bits don't matter, so it matches.

 

So, access-list 10 permit 192.168.16.0 0.0.3.255 indeed matches all of the given networks. Option A is the correct choice.

Option C (access-list 10 permit 192.168.16.0 0.0.15.255) would match more networks than the ones you specified. It would include networks beyond 192.168.19.0, which you wanted to exclude. Therefore, option C is not the correct choice in this case.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

8 Replies 8

M02@rt37
VIP
VIP

Hello @Daniel Céspedes,

to go further, access-list 10 permit 192.168.16.0 0.0.3.255 -- In this statement, the network address is 192.168.16.0, and the wildcard mask is 0.0.3.255. The wildcard mask is used to specify which bits in the IP address should be matched. In a wildcard mask, 0 bits mean "must match exactly," and 1 bits mean "don't care" or "match any."

So, let's analyze this wildcard mask 0.0.3.255:

In binary, 0.0.3.255 is 00000000.00000000.00000011.11111111.
In this mask, the last 8 bits are all 1s, which means "don't care" for the last 8 bits of the IP address.


Now, let's see how this mask matches the given networks:

192.168.16.0: This network's binary representation is 11000000.10101000.0001 0000 .00000000.

The last 8 bits don't matter, so it matches.

192.168.17.0: This network's binary representation is 11000000.10101000.0001 0001 .00000000.

The last 8 bits don't matter, so it matches.

192.168.18.0: This network's binary representation is 11000000.10101000.0001 0010 .00000000.

The last 8 bits don't matter, so it matches.

192.168.19.0: This network's binary representation is 11000000.10101000.0001 0011 .00000000.

The last 8 bits don't matter, so it matches.

 

So, access-list 10 permit 192.168.16.0 0.0.3.255 indeed matches all of the given networks. Option A is the correct choice.

Option C (access-list 10 permit 192.168.16.0 0.0.15.255) would match more networks than the ones you specified. It would include networks beyond 192.168.19.0, which you wanted to exclude. Therefore, option C is not the correct choice in this case.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Thanks for  clear explanation!

Daniel

You're so welcome @Daniel Céspedes 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

balaji.bandi
Hall of Fame
Hall of Fame

if the question specific to that address space /22 is the right option as per my views.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joseph W. Doherty
Hall of Fame
Hall of Fame

M02@rt37 provides the correct explanation but the value 3, in the third octet, matches 4 networks, starting with your .16.

BTW, to your actual posted question, BOTH A and C are correct.

A matches 16..19.

C matches 16..31.

If your question included ONLY matches the listed four networks, also assuming they're all /24s, then ONLY A would be correct.

yes that's right, it seems they only wanted to give access to those four hosts so option A. 

Daniel

Gopinath_Pigili
Spotlight
Spotlight

I agree with option A is the right answer.....

0.0.3.255 is the wildcard mask equivalent to subnet mask 255.255.252.0 (/22)

with /22 ....you will get block size of 4 ......available networks in 3rd octet...0,4,8,12,16,20,24

range 192.168.0.0 to 192.168.3.255

          192.168.4.0 to 192.168.7.255

         192.168.8.0 to 192.168.11.255

         192.168.12.0 to 192.168.15.255

         192.168.16.0 to 192.168.19.255

        192.168.20.0 to 192.168.23.255 and so on...

In the above question...all mention networks...192.168.16.0,192.168.17.0',192.168.18.0,192.168.19.0

will cover  5th subnet in the range which is 192.168.16.0 to 192.168.19.255

 

Best regards
******* If This Helps, Please Rate *******

Review Cisco Networking for a $25 gift card