Solved: Re: Wild Card Mask Simple Question

cigalahgroup · ‎05-17-2019

I have a small network 192.168.1.0 which also has internet, we have L2 switch and all users are in VLAN1.

I would like to block internet for all the network except 20 users, starting from 192.168.1.1 -- 192.168.1.20

to achieve this

first I have bind all 20 users Mac address to there ips and created ACL.

I have trouble in ACL STATEMENTS,.

Plz help

Giuseppe Larosa · ‎05-17-2019

Hello,

ok you have to remember that an ACL has an implicit deny any at the end !

To allow remaining hosts in network 192.168.21.0/24 we need to add a permit statement

So after the lines

access-list 11 deny 192.168.21.0 0.0.0.31

access-list 11 deny 192.168.21.32 0.0.0.15

access-list 11 deny 192.168.21.48 0.0.0.7

access-list 11 deny 192.168.21.56 0.0.0.3

access-list 11 deny 192.168.21.60 0.0.0.0

You need to add a last line

access-list 11 permit 192.168.21.0 0.0.0.255

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-17-2019

Hello,

you need to conver in binary the last byte of each address.

You can match first 1-15 users with an ACL statement like

access-list 11 permit 192.168.1.0 0.0.0.15

this means that last four bits are wildcard and matches 192.168.1.0-15

In order to match the other addresses you need to note that all of them are greater then 16 in last byte

16= 0001 0000

17 =0001 0001

18 =0001 0010

19= 0001 0011

so these 4 hosts are matched by following statement

access-list 11 permit 192.168.1.16 0.0.0.3

Finally you can match IP address 192.168.1.20 with

access-list 11 permit 192.168.1.20 0.0.0.0 or access-list 11 permit host 192.168.1.20

Your ACL will be formed by three statements and all these will be allowed to be translated by NAT

ip nat inside source acl 11 interface <WAN> overload.

there is no single statement matching the range of IP addresses because it is not a power of two

Hope to help

Giuseppe

Hope to help

Giuseppe

cigalahgroup · ‎05-17-2019

I am not able to understand what you mentioned above. The simple work would be give me exact statements as per my scenario then i would ask more questions if i don't understand

Giuseppe Larosa · ‎05-17-2019

Hello,

short answer your ACL is made of three lines to match the desired address range:

access-list 11 permit 192.168.1.0 0.0.0.15

access-list 11 permit 192.168.1.16 0.0.0.3

access-list 11 permit 192.168.1.20 0.0.0.0

Hope to help

Giuseppe

cigalahgroup · ‎05-17-2019

can i use only one statement to give internet access to 20 users by doing the below

access-list 11 permit 192.168.1.0 0.0.0.20

Giuseppe Larosa · ‎05-17-2019

Hello,

>>

can i use only one statement to give internet access to 20 users by doing the below

access-list 11 permit 192.168.1.0 0.0.0.20

No, because IP addresses are based on binary math and wildcard says what bits do not care (can be 0 or 1 to have a match) for bits that are set to 1.

20 = 00010100

it is a valid wildcard mask but it matches the following addresses only

192.168.1.0

192.168.1.4

192.168.1.16

192.168.1.20

that is not what you want

Hope to help

Giuseppe

cigalahgroup · ‎05-17-2019

Great Explaination

If I want to allow from 192.168.21.1-192.168.21.60

Then the Wild Card Would look this way as below.

192.168.21.0 0.0.0.31

192.168.21.32 0.0.0.15

192.168.21.48 0.0.0.7

192.168.21.56 0.0.0.3

192.168.21.60 0.0.0.0

Please correct me if i understood you correctly

Giuseppe Larosa · ‎05-17-2019

Hello,

yes I think that the proposed statements are correct to match 192.168.1.1 to 192.168.1.60 addresses.

60 = 32+16+8+4.

To find out the correct wildmasks you need to think about powers of two.

Hope to help

Giuseppe

cigalahgroup · ‎05-17-2019

What a great explanation !!!! one last question If I want to deny

the range

192.168.21.1 ---- 192.168.21.60

access-list 11 deny 192.168.21.0 0.0.0.31

access-list 11 deny 192.168.21.32 0.0.0.15

access-list 11 deny 192.168.21.48 0.0.0.7

access-list 11 deny 192.168.21.56 0.0.0.3

access-list 11 deny 192.168.21.60 0.0.0.0

will the above work ? and allow all the other network after 192.168.21.60 will have what statement

Giuseppe Larosa · ‎05-17-2019

Hello,

ok you have to remember that an ACL has an implicit deny any at the end !

To allow remaining hosts in network 192.168.21.0/24 we need to add a permit statement

So after the lines

access-list 11 deny 192.168.21.0 0.0.0.31

access-list 11 deny 192.168.21.32 0.0.0.15

access-list 11 deny 192.168.21.48 0.0.0.7

access-list 11 deny 192.168.21.56 0.0.0.3

access-list 11 deny 192.168.21.60 0.0.0.0

You need to add a last line

access-list 11 permit 192.168.21.0 0.0.0.255

Hope to help

Giuseppe