Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6433
Views
0
Helpful
3
Replies

Targeting a Subnet Range with a Wildcard Mask

steeilers
Level 1
Level 1

‎06-20-2017 11:58 AM - last edited on ‎03-25-2019 04:44 PM by Community Manager

Thanks in advance,

So I understand wildcard masks for targeting a subnet or a host. What is confusing me is how to target a range of hosts in a subnet.

If someone could point me to a good online resource or just help me answer the following question, that would help me to clarify what I'm missing.

If I'm creating an ACL to block private addresses inbound: 172.16.0.0 - 172.31.255.255 /16 

Why is the mask 0.15.255.255?

My Brainstorming:

If I want to block 172.16.0.0 255.255.0.0 
I would make a deny 172.16.0.0 0.0.255.255 entry

If I flip 0.15.255.255 I get a subnet mask of 255.255.240.0
Why does 255.240.0.0 block the private b address space?

I'm confused, thanks,

Labels:
0 Helpful
3 Replies 3

Spooster IT Services
Level 7
Level 7

‎06-20-2017 12:58 PM

Hi steeilers,

To block whole Class B Private subnet 172.16.0.0 - 172.31.255.255 yes the wildcard mask will be 0.15.255.255 because the Class B Private subnet is 172.16.0.0/12 or 172.16.0.0 255.240.0.0.

With the following entry you can deny the whole Class B private subnet ranging from 172.16.0.0 - 172.32.255.255.

deny 172.16.0.0 0.15.255.255

Spooster IT Services Team
0 Helpful

KJackson50
Level 1
Level 1

‎06-20-2017 01:00 PM

From what I understand, you want to block everything from 127.16.0.0 - 172.31.255.255. When you're in that 2nd octet (where the 16 and 31 are) you're in class A territory. The mask and CIDR for the range that you are looking at is 255.240.0.0 and /12 respectively. 

This is how you would get the mask

255 255 255 255
- 255 240 0 0
= 0 15 255 255

The mask that you got after you flipped the 0.15.255.255 would actually be 255.240.0.0. 255.240.0.0 blocks everything in that remaining 15.255.255. Were you trying to block 172.16.0.0 - 172.16.31.0 /20? Hope that makes sense!

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame

‎06-20-2017 01:32 PM

0.15.255.255 is the wild card. see link:

http://jodies.de/ipcalc?host=172.16.0.0&mask1=12&mask2=

Address:   172.16.0.0            10101100.0001 0000.00000000.00000000
Netmask:   255.240.0.0 = 12      11111111.1111 0000.00000000.00000000
Wildcard:  0.15.255.255          00000000.0000 1111.11111111.11111111
=>
Network:   172.16.0.0/12         10101100.0001 0000.00000000.00000000 (Class B)
Broadcast: 172.31.255.255        10101100.0001 1111.11111111.11111111
HostMin:   172.16.0.1            10101100.0001 0000.00000000.00000001
HostMax:   172.31.255.254        10101100.0001 1111.11111111.11111110
Hosts/Net: 1048574               (Private Internet)
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card