Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
4059
Views
0
Helpful
7
Replies

wildcard mask and acl question

Go to solution
dannan lin
Level 1
Level 1

‎06-26-2012 10:18 AM - edited ‎03-07-2019 07:28 AM

hi:

i would like to know if i can use the  wildcard mask to filter the certain networks.

for example:

192.168.0.0/30

192.168.0.4/30

192.168.0.8/30

192.168.0.12/30

if i only want to block 192.168.0.8 and 192/168.0.12/30 networks, without writting two acls ,can i simplu use wildcard mask to filter the matching bits?

00000000

00000100

00001000

00001100

i have tried but it seemed i could not do this by using wildcard mask. can anyone kindly explain why ?

much appreciated.

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
smehrnia
Level 7
Level 7

‎06-26-2012 11:09 AM

Hi dannan,

it is kinda important what you put as the Reference IP and of course the proper wildcard. because the wildcard is matched against the IP u put there.

in your case in order to filter .8 and .12 (lets do the binary):

12 = 00001100

8   = 00001000

now you have to choose the permanent bits for ur application and variable ones. resualt: 00000100.

and you have to use is with: ip: 192.168.0.8  - wildcard: 0.0.0.4

plz Rate if it helped,


Soroush.

Hope it Helps!

Soroush.

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to dannan lin

‎06-26-2012 12:33 PM

OK. Both Soroush and I mis-understood what you are trying to accomplish. We understood your question to be about how to block the network ID. And we both came up with the same solution/same mask which would block those network IDs. But your explanation here makes it clear that you want to block the hosts within those networks. So the mask calculation that we suggested was not correct for your purposes. To block the hosts of those two networks try an access that looks like this:

Standard IP access list 1

    deny 192.168.0.8 0.0.0.7

Give that a try and let us know how it works.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-26-2012 10:41 AM

This should be possible. Perhaps you can post what you tried.

The key is to remember that in the mask the 0 bit shows a bit position that must match and a 1 bit is a bit that does not have to match. When you look at the binary for 8 and 12 there is one bit that varies and all the others are the same. So all the bits but one will be 0. Try using the mask 00000100. It should match 8 and 12 and nothing else.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
dannan lin
Level 1
Level 1
In response to Richard Burts

‎06-26-2012 12:08 PM

hi Richard:

thanks for your help. i have tried your method but it seemed something was wrong with my configuration.

here is my scenario.

i wanted to block traffic from

192.168.0.14/30 and 192.168.0.10/30 to reach R1 which is 10.10.10.11/24

my access-list :

Router(config)#do show acce

Standard IP access list 1

    deny 192.168.0.8 0.0.0.4

    permit any (8 match(es))

I applied the access-list on f1/0 of R0 :

interface FastEthernet1/0

ip address 10.10.10.10 255.255.255.0

ip access-group 1 out

duplex auto

speed auto

if i used 192.168.0.8  with wildcard 0.0.0.3 , i would block all traffic from 192.168.0.8 /30 network but if i used 192.168.0.8 with wildcard bit 0.0.0.4 ,the access-list did not block any traffic. i wonder why ???

thanks for your help.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to dannan lin

‎06-26-2012 12:33 PM

OK. Both Soroush and I mis-understood what you are trying to accomplish. We understood your question to be about how to block the network ID. And we both came up with the same solution/same mask which would block those network IDs. But your explanation here makes it clear that you want to block the hosts within those networks. So the mask calculation that we suggested was not correct for your purposes. To block the hosts of those two networks try an access that looks like this:

Standard IP access list 1

    deny 192.168.0.8 0.0.0.7

Give that a try and let us know how it works.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
smehrnia
Level 7
Level 7

‎06-26-2012 11:09 AM

Hi dannan,

it is kinda important what you put as the Reference IP and of course the proper wildcard. because the wildcard is matched against the IP u put there.

in your case in order to filter .8 and .12 (lets do the binary):

12 = 00001100

8   = 00001000

now you have to choose the permanent bits for ur application and variable ones. resualt: 00000100.

and you have to use is with: ip: 192.168.0.8  - wildcard: 0.0.0.4

plz Rate if it helped,


Soroush.

Hope it Helps!

Soroush.
0 Helpful

Go to solution
dannan lin
Level 1
Level 1
In response to smehrnia

‎06-26-2012 12:15 PM

hi soroushm:

thanks for your reply, but i have tried to use 192.168.0.8  with wildcard 0.0.0.4 but , it did not work as expected. 

my access-list :

Router(config)#do show acce

Standard IP access list 1

    deny 192.168.0.8 0.0.0.4

    permit any (8 match(es))

I applied the access-list on f1/0 of R0 :

interface FastEthernet1/0

ip address 10.10.10.10 255.255.255.0

ip access-group 1 out

duplex auto

speed auto

i have no idea what went wrong , please help me out here, sorry for being a newbie.

thanks.

0 Helpful

Go to solution
smehrnia
Level 7
Level 7
In response to dannan lin

‎06-26-2012 12:40 PM

Just like what Rick pointed out, we didnt account for the lower 2 bits (host IDs) in your /30 addressing scheme try Ricks n see if it works! wildcard 0.0.0.7

CheerZ


Soroush.

Hope it Helps!

Soroush.
0 Helpful

Go to solution
dannan lin
Level 1
Level 1
In response to smehrnia

‎06-27-2012 06:52 AM

thank you guys.your helps are much appreciated.

0 Helpful
Customers Also Viewed These Support Documents
Top