Solved: Re: Inverse mask & access-list question

news2010a · ‎02-28-2007

Given the access-lists:

"access-list 120 deny tcp 207.16.12.0 0.0.3.255 any eq http

access-list 120 permit ip any any"

Then this is the traffic:

a)source ip 207.16.13.14, destination=http

b) source ip 207.16.32.14, destination=http

Question:

Are the traffic above on a) and b) denied or permitted?

I am kind of confused on how to visualize this. I tried to write source IP in binary format:

207.16.32.14=

3rd and 4th octect only->

.32.14 = 00100000.00001110

mask=03.255= 00000011.11111111

But honestly I can't visualize how to determine whether the inverse mask 0.0.3.255 would deny or permit this. Can you help me understand how I should approach this problem?

CSCO10892433 · ‎03-01-2007

Reread your posting, looks like I misunderstand your question.Here is the correction:

207.16.12.0 written in binary format is (only 3rd and 4th octes are ahown)

00001100 00000000

and the mask is

00000011 11111111

the topmost 6 bits should match exactly, so address with the following pattern

000011xx xxxxxxxx (where x= 0 or 1)

will match the source address field of ACL

The address range that match the ACL is

00001100 00000000 to 00001111 11111111

witten in digtal format, it is

12.0 to 15.255

So, the answer is A.

HTH

SSLIN

View solution in original post

ggilbert · ‎02-28-2007

Hello,

With the ACL 120 the network or the addresses which will be allowed are

207.16.12.0 - 207.16.15.255

So, option (a) traffic will be permitted.

Option (b) traffic will be denied.

Hope this helps

Cheers

Gilbert

Rate this post, if it helps.

ggilbert · ‎02-28-2007

207.16.12.x Is the network

0.0.3.255 is the subnet mask (wildcard mask)

so

255.255.252.0 will be the real subnet mask.

Wild card of "0" means "255" with the normal mask

So, wild card of 3 means 255-3 which is equal to 252.

wild card of "255" means 0 in the subnet mask format.

So, wildcard mask - 0.0.15.255 means 255.255.240.0 in subnet mask.

Does this help!!

Gilbert

CSCO10892433 · ‎03-01-2007

Hi news2010a

First, there is an inconsistency in your question. Is it 207.16.12.0 or 207.16.32.0? I suppose it's 207.16.32.0 and try to give you an explanation.

For the inverse mask ussed in ACL,bit "0" means match exactly, bit "1" means don't care. In this case, the topmost 6 bits of the third octect (and all bits in 1st and 2nd octes) should match exactly and the rest of the bits need no care.

So, any address with this pattern: 001000xx xxxxxxxx (where x = 0 or 1)will match the source address field of the ACL. Writing these addresses in binary format, they should be:

00100000 00000000 to 00100011 11111111

or in digtal format:

32.0 ~ 35.255

To your question, any address ranging from 207.16.32.0 to 207.16.35.255 will match the source address field in the ACL.

HTH

SSLIN

CSCO10892433 · ‎03-01-2007

Reread your posting, looks like I misunderstand your question.Here is the correction:

207.16.12.0 written in binary format is (only 3rd and 4th octes are ahown)

00001100 00000000

and the mask is

00000011 11111111

the topmost 6 bits should match exactly, so address with the following pattern

000011xx xxxxxxxx (where x= 0 or 1)

will match the source address field of ACL

The address range that match the ACL is

00001100 00000000 to 00001111 11111111

witten in digtal format, it is

12.0 to 15.255

So, the answer is A.

HTH

SSLIN

news2010a · ‎03-01-2007

I think finally I understand how to do this sucker! You guys are rulers.