dissolved
asked on
ACLs and wild cards on cisco routers (part 2)
"You want to match on this network (172.16.16.0/21) in an ACL. Enter the wildcard mask to do this."
This was a question on a CCNA practice exam. Can anyone shed any light?
thanks
This was a question on a CCNA practice exam. Can anyone shed any light?
thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys. A few more questions
1. lrmoore: What is the difference between inverse masks and wildcard masks? Also, in the example you posted:
Used in an access-list, this wildcard will match all networks with an odd number in the 3d octect and not match any even numbered subnets.
access-list 121 permit ip 172.16.0.0 0.0.254.255 any
Is there an easy explanation as to why the third octet of the host must be odd to match?
2. Leo and Dr IP: I'm assuming I cannot use the 255-x formula for all of the questions? I can only use them on /24 or bigger ?
Thanks
1. lrmoore: What is the difference between inverse masks and wildcard masks? Also, in the example you posted:
Used in an access-list, this wildcard will match all networks with an odd number in the 3d octect and not match any even numbered subnets.
access-list 121 permit ip 172.16.0.0 0.0.254.255 any
Is there an easy explanation as to why the third octet of the host must be odd to match?
2. Leo and Dr IP: I'm assuming I cannot use the 255-x formula for all of the questions? I can only use them on /24 or bigger ?
Thanks
In an inverse mask, all mask digits are contiguous.
In a wildcard mask, that is not necessarily the case.
Consider:
IP Address 172.22.5.0 / 24
Binary 10101100.00010110.00000101 .00000000
Subnet Mask:
Decimal 255.255.255.0
Binary 11111111.11111111.11111111 .00000000
Inverse (Wildcard) Mask
Decimal 0.0.0.255
Binary 00000000.00000000.00000000 .11111111
Wildcard Mask
Decimal 0.0.254.255
Binary 00000000.00000000.11111110 .11111111
^^
All bit positions occupied by a 0 in the wildcard mask are significant and must match when a packet is examined by the router for access list criteria.
Decimal 172.22.1.0
Binary 10101100.00010110.00000001 .00000000
^ = match
Decimal 172.22.2.1
Binary 10101100.00010110.00000010 .00000001
^ = no match
Decimal 172.16.3.1
Binary 10101100.00010110.00000011 .00000001
^ =match
In a wildcard mask, that is not necessarily the case.
Consider:
IP Address 172.22.5.0 / 24
Binary 10101100.00010110.00000101
Subnet Mask:
Decimal 255.255.255.0
Binary 11111111.11111111.11111111
Inverse (Wildcard) Mask
Decimal 0.0.0.255
Binary 00000000.00000000.00000000
Wildcard Mask
Decimal 0.0.254.255
Binary 00000000.00000000.11111110
^^
All bit positions occupied by a 0 in the wildcard mask are significant and must match when a packet is examined by the router for access list criteria.
Decimal 172.22.1.0
Binary 10101100.00010110.00000001
^ = match
Decimal 172.22.2.1
Binary 10101100.00010110.00000010
^ = no match
Decimal 172.16.3.1
Binary 10101100.00010110.00000011
^ =match
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks! and my final question
255.255.255.255 means match all packets
0.0.0.0 means match a specific host
0.0.0.255 means the last octet can be anything?
Great explanations guys
thanks
255.255.255.255 means match all packets
0.0.0.0 means match a specific host
0.0.0.255 means the last octet can be anything?
Great explanations guys
thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks everyone.
10.0.0.0/24 254 hosts, 0.0.0.255
10.0.0.0/25 126 hosts, 0.0.0.127
10.0.0.0/26 62 hosts, 0.0.0.63
For larger subnets you can use this formula. 255.255.255.255 minus subnet mask equals wildcard.
255.255.255.255
-255.255.254.0
=0.0.1.255
255.255.255.255
-255.255.224.0
=0.0.31.255