Thanks Sam!

So It would be

192.168.1.0

192.168.2.0

192.168.3.0

all they way down to 192.168.3.254

am I correct?

Hi Sam

So this IP address (192.168.48.62) wouldn't fall into the below access list

permit ip 192.168.0.0 0.0.252.255.

Because 3rd octet could only have 0, 1, 2 and 3. Is it correct?

thanks!

there is easy way to calculate if you know subnetting  :

keep in mind 255.255.255.255  mask , and if u need to convert ur subnet mask to wildcard do math:
255.255.255.255 - ur mask = wildcard mask

255.255.255.252=> 255.255.255.255 -255.255.255.252=0.0.0.3 wildcard mask , thats mean u will have 3 ip available one is broadcast and 2 for hosts .

and vice verse operation from wildcard to subnet mask 255.255.255.255- wildcard mask=ur subnet mask  is valid too. 

Sam,

I am sorry but I am afraid you are not right. Your answer would be correct if the wildcard mask was 0.0.3.255. However, the wildcard mask in question is 0.0.252.255.

252 in binary is 1111-1100. Because in a wildcard mask, a binary '0' means "compare and match" while a binary '1' means "don't care", a wildcard 252 would mean: "Don't care about the topmost 6 bits, but compare and match the lowmost 2 bits". Because the reference value for these two lowmost bits is 0 (this results from the reference IP address 192.168.0.0), in essence, this ACL entry would match only those addresses that, at the same time,

• Start with 192.168
• Have their third octet of a value whose binary equivalent would be xxxx-xx00, in essence, a multiple of four
• Have their fourth octet an arbitrary number between 0 and 255 inclusive

In other words, the matching IP addresses would be 192.168.<4xN>.<anything> where N is an integer between 0 and 63, inclusive, e.g. 192.168.0.1, 192.168.4.2, 192.168.48.23, 192.168.100.50, 192.168.244.111, ...

Would you agree?

Best regards,
Peter

Hi Peter

Thanks for your reply!

Could you please explain bit more about what your reply below:

• Start with 192.168
• Have their third octet of a value whose binary equivalent would be xxxx-xx00, in essence, a multiple of four
• Have their fourth octet an arbitrary number between 0 and 255 inclusive

In other words, the matching IP addresses would be 192.168.<4xN>.<anything> where N is an integer between 0 and 63, inclusive, e.g. 192.168.0.1, 192.168.4.2, 192.168.48.23, 192.168.100.50, 192.168.244.111, ...

Kind regards

Shaiq

Shaiq,

This is really only an exercise with numbers in binary.

If you take an octet and write it out in binary, you basically indicate the presence of a particular power of two in that octet, starting with 128 and going down through 64, 32, 16, 8, 4, 2, and ending with 1.

Now notice that in a binary number of the form xxxx-xx00, you are saying:

• There is no power of 2^0 = 1
• There is no power of 2^1 = 2
• There may or may not be the remaining powers:
  • 2^2 = 4
  • 2^3 = 8 = 2*4
  • 2^4 = 16 = 4*4
  • 2^5 = 32 = 8*4
  • 2^6 = 64 = 16*4
  • 2^7 = 128 = 32*4

So any number in the binary form of xxxx-xx00 consists of all possible combinations of 128, 64, 32, 16, 8, or 4 present in its binary representation - note that these powers of two as well as their arbitrary sums are always multiples of four. This is what I said when I indicated that the third octet of a matching address must be an integer multiple of four.

That is also what I said when I suggested that the IP address is of the form 192.168.<4xN>.<anything>. The third octet must be a multiple of four. Of course, no octet can be higher than 255, so the highest N you can have is 63, as 63x4 = 252. Any higher N would cause the third octet to be higher than 255 and that would no longer be a valid IP address.

You can also take it from another point of view if you are slightly fluent with binary arithmetics in computers (if not and all what follows is just gibberish to you, you can ignore it safely). Notice that the binary number in the form of xxxx-xx00 has six bits whose value can be arbitrary (the 'x' bits). If I had these six free bits isolated and wrote them down as a new binary number xx-xxxx, they would yield a value between 0 and 63, inclusive (6 bits give you 2^6=64 different combinations, ranging from 0 to 63). Now, you may know that a bit shift operation to the left is equivalent to multiplying the number by two. So if I bit-shifted the xxxxxx one time to the left, I would get a value of xxx-xxx0 (the former value in the range of 0-63 multiplied by 2), and if I bit-shifted the number to the left again, I would get a value of xxxx-xx00 (the former value in the range of 0-63 twice multiplied by two - that is, four). Hence the N, being nothing else than the xx-xxxx, in the range of 0-63, multiplied by 4 as I indicated in my IP address above.

Feel free to ask further!

Best regards,
Peter

Peter,

Thanks for your help.

I did work out and understood its the block that it takes as multiple of 4's because 256 - 252 = 4.  Hence in 3rd octet it would be 0, 4, 8, 12, 16, 20, 24, 28, 32, 36, 40, 44, 48, and 51 ..etc

I was troubleshooting 192.168.48.0 with wildcard mask 0.0.252.255. But it also allowing all other subnets as well.

So to block only these subnets (192.168.48.0, 192.168.49.0, 192.168.50.0, 192.168.51.0), I need to do each subnet manually (like 192.168.48.0 0.0.0.255 and so on)...???

Regards

Shaiq

The proper command to block the subnets you have listed would be:

20 deny ip 192.168.48.0 0.0.3.255

The mask that was in the original post is ambiguous. the above ACL will block 192.168.48.0, 192.168.49.0, 192.168.50.0 & 192.168.51.0.

Regards,

Sam

Good catch Peter, thanks. Cisco shows the 192.168.0.0 0.0.252.255 as "%Inconsistent address and mask", it will not input into a route statement. The mask from the original poster should be 0.0.3.255 or 255.255.252.0.

Cheers,

Sam

-

Thanks Jon, I can see where that is true, the access list with the OP's mask will take into an access list. I would be curious to see how that ACL would be interpreted since it is an invalid mask.

Cheers,

Sam