Solved: ACL and Wildcard Confusion!

dbroder · ‎03-14-2004

Hi..

I thought I knew this stuff, but now am unsure! :(

If someone could let me know if I'm on the right track and/or provide insight, it would be appreciated.

I created the following extended ACL:

access-list 105 deny ip 172.16.0.0 0.31.255.255 any

access-list 105 permit ip any any

The net effect I want is to allow all traffic except 172.[16-31].*.*. I know the wildcard is a calculation of bits, but am now unsure if I've done this correctly.

Can anyone shed some light and/or post the correct command? Also, I'm interested in a link to a "wildcard mask calculation" URL if anyone has one handy.

Thanks very much!

Darren.

dbroder@capcollege.bc.ca

samsam_wang · ‎03-14-2004

16 00010000

31 00011111

see, the first 4 bits are same, and last 4 bits are diffirent. so the net is 00010000, and the wildcard is 00001111

so your access-list should be

deny 172.16.0.0 0.15.255.255

permit ip any any

for practice, you can try,

192.168.1.0 2.0 3.0 to 10.0

then only filter the even or odd, or only 3.0,4.0,5.0

etc

View solution in original post

samsam_wang · ‎03-14-2004

16 00010000

31 00011111

see, the first 4 bits are same, and last 4 bits are diffirent. so the net is 00010000, and the wildcard is 00001111

so your access-list should be

deny 172.16.0.0 0.15.255.255

permit ip any any

for practice, you can try,

192.168.1.0 2.0 3.0 to 10.0

then only filter the even or odd, or only 3.0,4.0,5.0

etc

dbroder · ‎03-14-2004

Thanks!

And to continue this thinking, if I wanted to deny 172.[0-31].*.*, I would use:

0 00000000

31 00011111

deny 172.0.0.0 0.31.255.255

..so my original post of:

deny 172.16.0.0 0.31.255.255

..is syntactically incorrect, as you would never have that combination.

I'm guessing that the real 'key' here is to figure out which bits in your range 'stay the same' and this is your network. And then sum up the bits that 'change' and that's your wildcard mask.

Darren

dbroder@capcollege.bc.ca

samsam_wang · ‎03-14-2004

I'd like to give you one more example.

from 172.16.0.0 to 172.31.0.0, only deny or permit 4 networks, they are

172.16.0.0

172.17.0.0

172.18.0.0

172.19.0.0

Do you know how to do that?

Please post your answer.

Harold Ritter · ‎03-14-2004

deny (or permit) 172.16.0.0 0.3.255.255 should do it.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

samsam_wang · ‎03-14-2004

haha,

Hritter, why do you answer it?

Meanwhile, I guess some stupid guys thought out lots of tricky access-list, just like

123.85.23.0

45.29.134.0

86.132.29.0

......

(only example, maybe no answer)

and use minimum line

I think that is stupid.

in real network, no those networks, even has those network, and nobody use one or two lines to configure that.

haha

Harold Ritter · ‎03-14-2004

Just saw the question and didn't really read the whole thread ;o)

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

samsam_wang · ‎03-14-2004

you are always online?

You gave me a lots of helps before, thanks

Harold Ritter · ‎03-14-2004

I spend too much time online. I have no life ;o)

Always a pleasure to help.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

samsam_wang · ‎03-14-2004

For me, I bought a good LCD monitor, the best mouse and best keyboard, then is ready to surf.

right now, my second finger of my right hand is always shaking, i have to use my left hand. and my back is sour. that is a part of ccie preparation.

in my opinion, online is a part of life too. but just treat yourself better, don't stare the screen all day

for me, no life online now. it is really difficult to prepare it.

Thanks again.