Solved: Re: Network permissions in ACL.

Daniel Céspedes · ‎10-10-2023

Hello community

Newbie question: I would like to read a further explanation for the following

What single access list statement matches all of the following networks?

192.168.16.0
192.168.17.0
192.168.18.0
192.168.19.0

A - access-list 10 permit 192.168.16.0 0.0.3.255
B - access-list 10 permit 192.168.16.0 0.0.0.255
C - access-list 10 permit 192.168.16.0 0.0.15.255
D - access-list 10 permit 192.168.0.0 0.0.15.255

Explanation: The ACL statement access-list 10 permit 192.168.16.0 0.0.3.255 will match all four network prefixes. All four prefixes have the same 22 high order bits. (??) These 22 high order bits are matched by the network prefix and wildcard mask of 192.168.16.0 0.0.3.255.

Wouldn't it be option C?

I understood that number 15 on 0.0.15.255 would include the all IP's starting from that number forward, but I am now sure what to think now. The only thing I can think of is to take that 3 and add it to the all IP's starting from 16 so that all IP's starting 192.168.20.0 would not be included on the list.

Daniel

M02@rt37 · ‎10-10-2023

Hello @Daniel Céspedes,

to go further, access-list 10 permit 192.168.16.0 0.0.3.255 -- In this statement, the network address is 192.168.16.0, and the wildcard mask is 0.0.3.255. The wildcard mask is used to specify which bits in the IP address should be matched. In a wildcard mask, 0 bits mean "must match exactly," and 1 bits mean "don't care" or "match any."

So, let's analyze this wildcard mask 0.0.3.255:

In binary, 0.0.3.255 is 00000000.00000000.00000011.11111111.
In this mask, the last 8 bits are all 1s, which means "don't care" for the last 8 bits of the IP address.

Now, let's see how this mask matches the given networks:

192.168.16.0: This network's binary representation is 11000000.10101000.0001 0000 .00000000.

The last 8 bits don't matter, so it matches.

192.168.17.0: This network's binary representation is 11000000.10101000.0001 0001 .00000000.

The last 8 bits don't matter, so it matches.

192.168.18.0: This network's binary representation is 11000000.10101000.0001 0010 .00000000.

The last 8 bits don't matter, so it matches.

192.168.19.0: This network's binary representation is 11000000.10101000.0001 0011 .00000000.

The last 8 bits don't matter, so it matches.

So, access-list 10 permit 192.168.16.0 0.0.3.255 indeed matches all of the given networks. Option A is the correct choice.

Option C (access-list 10 permit 192.168.16.0 0.0.15.255) would match more networks than the ones you specified. It would include networks beyond 192.168.19.0, which you wanted to exclude. Therefore, option C is not the correct choice in this case.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎10-10-2023

Hello @Daniel Céspedes,

to go further, access-list 10 permit 192.168.16.0 0.0.3.255 -- In this statement, the network address is 192.168.16.0, and the wildcard mask is 0.0.3.255. The wildcard mask is used to specify which bits in the IP address should be matched. In a wildcard mask, 0 bits mean "must match exactly," and 1 bits mean "don't care" or "match any."

So, let's analyze this wildcard mask 0.0.3.255:

In binary, 0.0.3.255 is 00000000.00000000.00000011.11111111.
In this mask, the last 8 bits are all 1s, which means "don't care" for the last 8 bits of the IP address.

Now, let's see how this mask matches the given networks:

192.168.16.0: This network's binary representation is 11000000.10101000.0001 0000 .00000000.

The last 8 bits don't matter, so it matches.

192.168.17.0: This network's binary representation is 11000000.10101000.0001 0001 .00000000.

The last 8 bits don't matter, so it matches.

192.168.18.0: This network's binary representation is 11000000.10101000.0001 0010 .00000000.

The last 8 bits don't matter, so it matches.

192.168.19.0: This network's binary representation is 11000000.10101000.0001 0011 .00000000.

The last 8 bits don't matter, so it matches.

So, access-list 10 permit 192.168.16.0 0.0.3.255 indeed matches all of the given networks. Option A is the correct choice.

Option C (access-list 10 permit 192.168.16.0 0.0.15.255) would match more networks than the ones you specified. It would include networks beyond 192.168.19.0, which you wanted to exclude. Therefore, option C is not the correct choice in this case.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Daniel Céspedes · ‎10-22-2023

Thanks for clear explanation!

Daniel

M02@rt37 · ‎10-22-2023

You're so welcome @Daniel Céspedes

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

balaji.bandi · ‎10-10-2023

if the question specific to that address space /22 is the right option as per my views.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joseph W. Doherty · ‎10-10-2023

M02@rt37 provides the correct explanation but the value 3, in the third octet, matches 4 networks, starting with your .16.

Joseph W. Doherty · ‎10-10-2023

BTW, to your actual posted question, BOTH A and C are correct.

A matches 16..19.

C matches 16..31.

If your question included ONLY matches the listed four networks, also assuming they're all /24s, then ONLY A would be correct.

Daniel Céspedes · ‎10-22-2023

yes that's right, it seems they only wanted to give access to those four hosts so option A.

Daniel

Gopinath_Pigili · ‎10-10-2023

I agree with option A is the right answer.....

0.0.3.255 is the wildcard mask equivalent to subnet mask 255.255.252.0 (/22)

with /22 ....you will get block size of 4 ......available networks in 3rd octet...0,4,8,12,16,20,24

range 192.168.0.0 to 192.168.3.255

192.168.4.0 to 192.168.7.255

192.168.8.0 to 192.168.11.255

192.168.12.0 to 192.168.15.255

192.168.16.0 to 192.168.19.255

192.168.20.0 to 192.168.23.255 and so on...

In the above question...all mention networks...192.168.16.0,192.168.17.0',192.168.18.0,192.168.19.0

will cover 5th subnet in the range which is 192.168.16.0 to 192.168.19.255

Best regards
******* If This Helps, Please Rate *******