Solved: Hey dude,

suthomas1 · ‎06-05-2017

Hello,

I see following mask in one of the extended lists, but i am not sure what subnet /cidr it will be.

how do i calculate to know what is the cidr for this.

ip 10.102.10.0 0.7.241.255 any

Thanks in advance.

Jon Marshall · ‎06-14-2017

You can't translate to a CIDR notation because wildcard masks are not the inverse of subnet masks.

It is not an invalid mask although whether they meant to do this is questionable however this is what it matches.

First octet must be 10.
The second octet can be any value between 96 and 103
The last octet can be any value

The third octet you need to write out in binary so -

128 64 32 16 8 4 2 1

0 0 0 0 1 0 1 0 = 10

1 1 1 1 0 0 0 1 = 241 (wildcard mask)

so bear in mind with a wildcard mask 0 means must match and 1 means don't care. So what the above is saying is that the first 4 bits and the last bit can be any value. The 5th and 7 bits (from the left) must always be on and the 6th bit must never be on.

I have not worked them all out becasue life is too short :) but it means -

any value below 10 in the third octet is not allowed because the 5th and 7th bits must always be on.

11 is allowed but then 12 - 25 are not allowed because to get any of those values you either need to turn on
the 6th bit (which is not allowed) or turn off bits 5 or 7 (again not allowed).

26 - 27 are allowed
28 - 41 are not allowed
42 - 43 are allowed
44 - 57 are not allowed
58 - 59 are allowed

etc.

I tested in a lab and it does work as expected although again I did not test every IP so I may be wrong :)

Jon

View solution in original post

Georg Pauwen · ‎06-06-2017

Hello,

in theory, this would translate to 10.102.10.0 255.248.14.0. Likely a typo, since this is not a configurable IP address.

Julio E. Moisa · ‎06-06-2017

Hi,

Once you insert this entry into the ACL, it change to parent subnet:

access-list 100 permit ip 10.96.10.0 0.7.241.255 any

It is probably doing any kind of filtering. Are you seeing any match through show access-list?

I remember have configured ACL to allow just even /24 subnets, for example:

access-list 1 permit 172.16.0.0 0.0.254.0

Check these links:

http://blog.ine.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/

http://blog.ine.com/2008/09/16/binary-math-part-i-answers/
http://blog.ine.com/2008/11/03/binary-math-part-ii/
http://blog.ine.com/2008/11/05/binary-math-part-ii-answers/

https://routerjockey.com/2010/05/19/using-discontiguous-wildcard-masks-in-acls/

The CIDR is obtained through active bits of subnet mask, in this case the subnet and its wildcard should be used for filtering into an ACL only.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Kin Loo · ‎06-06-2017

Hey dude,

like others had said, that is a wildcard mask and there is no such thing as inverse subnet mask.

I have no idea why you will see that because the router will never accept such a incorrectly written acl.

the network address is fine, the wildcard mask and anything behind isnt. 0.7.255.255 or 0.0.15.255 is acceptable. (241 is not correct at all)

Assuming you are trying to set 0.7.255.255 to deny a web service of say... 10.102.10.50, you will write it as

access-list 170 deny tcp 10.102.10.0 0.7.255.255 10.102.10.50 eq 80

the above acl 170 will prevent any host within that network to access the .50 webserver via its web interface (port 80)

Going back towards your question about asking of the cidr notation, 0.7.255.255 will be /14 and 0.0.15.255 will be /21.

Best Regards,

Kin

Jon Marshall · ‎06-06-2017

The router accepts 241 as a value and it is perfectly valid, see explanation below as to what it filters.

Jon

Julio E. Moisa · ‎06-06-2017

I agree with Jon, it is a valid entry for an ACL, this is known as complex wildcards.