Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1666
Views
10
Helpful
11
Replies

ACL & Wildcard Question!

Go to solution
Iluvnetwork
Level 1
Level 1

‎11-23-2017 12:32 AM - edited ‎03-08-2019 12:51 PM

If I want to allow 192.168.1.0/24 and 10.178.5.0/24, but deny 172.224.4.0/24 in one ACL, how should I do?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Predrag Jovic
Level 3
Level 3
In response to Iluvnetwork

‎11-25-2017 10:54 PM - edited ‎11-25-2017 10:56 PM

Everything depends how specific you want to be, I hope that it is understood that

permit ip 0.160.1.0 219.26.4.255

will permit way much more networks than just 192.168.1.0/24 and 10.178.5.0/24 and block way much more than just 172.224.4.0/24.

In first octet 0 with wildcard mask 219 permits networks having 1, 2, 3 in the first octet, however, it will block any network that starts with 4 in the first octet etc... Generally, depending on how specific you want to be - depends list of potential solutions. For example, blocking of 172.224.4.0/24 can be also done with permitting 0.0.1.0 255.255.254.255 but it will block way much less networks than your original statement since it will just permit any network that has odd number in 3rd octet. Also, there are many other solutions there...

So, question is how specific you want to be with your solution - what exactly should be block and what exactly can be permitted..

View solution in original post

11 Replies 11

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎11-23-2017 12:44 AM 

!
ip access-list standard SIMPLE
  permit ip 192.168.1.0 0.0.0.255
  permit ip 10.178.5.0 0.0.0.255
!

The deny is implicit.

 

cheers,

Seb.

0 Helpful

Go to solution
Iluvnetwork
Level 1
Level 1
In response to Seb Rupik

‎11-23-2017 01:11 AM

My bad. I meant one ACL line.
I got this permit 0.162.0.0 219.26.4.255
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Iluvnetwork

‎11-23-2017 03:11 AM

Hello

Do you mean one acl and just one ACE? If so then it cannot be done, you will need at least two ace with one ACL to complete this.

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Iluvnetwork
Level 1
Level 1
In response to paul driver

‎11-23-2017 11:51 AM - edited ‎11-23-2017 11:52 AM

My final answer is 0.160.1.0 219.26.4.255. By permitting this, I can allow 192.168.1.0/24 and 10.178.5.0/24, and block 172.224.4.0/24.

 

If I am misunderstanding about "Wildcard Mask", please let me know.

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Iluvnetwork

‎11-23-2017 02:07 PM

Hello

@Iluvnetwork wrote:

My final answer is 0.160.1.0 219.26.4.255. By permitting this, I can allow 192.168.1.0/24 and 10.178.5.0/24, and block 172.224.4.0/24.

 

If I am misunderstanding about "Wildcard Mask", please let me know.

That acl  statement makes no sense?

As I stated previously you cannot create an access-list  permit/deny with two different subnets with just one access list control entry (ace) in a single access-list

 

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Iluvnetwork

‎11-25-2017 04:23 AM - edited ‎11-26-2017 12:24 AM

EDIT: After some more thinking about it ... No, my solution doesn't work ... Damn, I was calculating this stuff some years ago but I don't get it any more ...

 

Are you preparing for your CCIE-exam? Paul, if yes, then it doesn't have to make any sense, its just about binary math ...

 

My solution is "permit 0.160.1.0 202.26.4.255". But with a severe cold I'm far away from clear thinking ...

 

Lets look at it:

 

11000000.10101000.00000001.00000000 = 192.168.1.0
00001010.10110010.00000101.00000000 = 10.178.5.0

we use a "0" if we don't care about the digit and we us the digit if we care (first line). A "1" for every "don't care" in the second line:

00000000.10100000.00000001.00000000
11001010.00011010.00000100.11111111

The first line gives the address, the second line the wildcard-mask.

Go to solution
paul driver
VIP
VIP
In response to Karsten Iwen

‎11-25-2017 07:06 AM - edited ‎11-25-2017 07:12 AM

Hello

@Karsten Iwen wrote:

EDIT: After some more thinking about it ... No, my solution doesn't work ... **bleep**, I was calculating this stuff some years ago but I don't get it any more ...

 

Are you preparing for your CCIE-exam? Paul, if yes, then it doesn't have to make any sense, its just about binary math ...

 

My solution is "permit 0.160.1.0 202.26.4.255". But with a severe cold I'm far away from clear thinking ...

 

Lets look at it:

 

11000000.10101000.00000001.00000000 = 192.168.1.0
00001010.10110010.00000101.00000000 = 10.178.5.0

we use a "0" if we don't care about the digit and we us the digit if we care (first line). A "1" for every "don't care" in the second line:

00000000.10100000.00000001.00000000
11001010.00011010.00000100.11111111

The first line gives the address, the second line the wildcard-mask.

Intact I am Karsten - for a while now- I just haven’t got the balls to take that jump and sit the lab!!!- 

I am also aware of the binary conversion -So I will reiterate why to me it doesn’t make any sense -  where in that acl does it negate just the 172.x.x.x as far as I can see it denys everything

I may be mistakenl here but wasnt  the OP stating to permit just those two hosts and then deny just that 172. Host And if that is the  case then it cannot be done with just one acl and one ace as far as I am aware?

 

res

paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Iluvnetwork
Level 1
Level 1
In response to Karsten Iwen

‎11-25-2017 08:21 PM

I don't even have a CCNA cert. I recently learend about the wildcard mask and thought it would be fun to play with it. As I said, my answer is 0.160.1.0 219.26.4.255 which allows 192.168.1.0/24 and 10.178.5.0/24 and blocks 172.224.4.0/24. I guessed your ACL only allows 192.168.1.0/24 and 10.178.5.0/24 because at the end of ACL, it denys any :) Thank you very much :)
0 Helpful

Go to solution
Predrag Jovic
Level 3
Level 3
In response to Iluvnetwork

‎11-25-2017 10:54 PM - edited ‎11-25-2017 10:56 PM

Everything depends how specific you want to be, I hope that it is understood that

permit ip 0.160.1.0 219.26.4.255

will permit way much more networks than just 192.168.1.0/24 and 10.178.5.0/24 and block way much more than just 172.224.4.0/24.

In first octet 0 with wildcard mask 219 permits networks having 1, 2, 3 in the first octet, however, it will block any network that starts with 4 in the first octet etc... Generally, depending on how specific you want to be - depends list of potential solutions. For example, blocking of 172.224.4.0/24 can be also done with permitting 0.0.1.0 255.255.254.255 but it will block way much less networks than your original statement since it will just permit any network that has odd number in 3rd octet. Also, there are many other solutions there...

So, question is how specific you want to be with your solution - what exactly should be block and what exactly can be permitted..

Go to solution
Iluvnetwork
Level 1
Level 1
In response to Predrag Jovic

‎11-26-2017 12:06 AM - edited ‎11-26-2017 12:27 AM

Thank you so much. This is what I have been wondering :) Learned a lot from your comment.

0 Helpful

Go to solution
Iluvnetwork
Level 1
Level 1
In response to Predrag Jovic

‎11-26-2017 12:19 AM - edited ‎11-26-2017 12:31 AM

My new answer is 0.168.1.0 202.26.254.255 -> Is this one better than my previous answer which was 0.160.1.0 219.26.4.255?

 

As you already mentioned, I agree blocking 0.0.1.0 255.255.254.255 is the best answer :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card