|
Home > Archive > CCNA > February 2004 > Must Know! access-list Wildcards
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Must Know! access-list Wildcards
|
|
| Joe Dali 2004-02-27, 11:47 pm |
| We all know the rules and seen the literature on how to do wild card masks:
The 32 bit wildcard mask consists of 1’s and 0’s
1 = ignore this bit
0 = check this bit
Yada, yada, yada………
BUT MOST OF THE TIME WE WANT TO DO ONE OF THESE THREE THINGS:
1. MATCH A HOST
2. MATCH AN ENTIRE SUBNET
3. MATCH A RANGE
or
4. MATCH EVERYONE
Here are the easy ways to do that
1. How to match an individual host
All wildcard mask bits are zero’s
For Standard Access-list
Access-list 1 permit 157.89.8.9 0.0.0.0
Access-list 1 permit 157.89.8.9 (standard access lists assume a 0.0.0.0 mask)
For Extended Access-lists
Access-list 101 permit ip 157.89.8.9 0.0.0.0 any
Access-list 101 permit ip host 157.89.8.9 any
2. How to match an Entire Subnet
Wildcard mask = 255.255.255.255 – subnet mask
Example 1
Given 3.2.4.0 subnet mask 255.255.255.0
255.255.255.255
- subnet mask 255.255.255. 0
Wildcard mask 0. 0. 0.255
Answer:
Access-list 1 permit 3.2.4.0 0.0.0.255
Example 2
Given 111.2.4.112 subnet mask 255.255.255.224
255.255.255.255
- subnet mask 255.255.255.224
Wildcard mask 0. 0. 0. 31
Answer:
Access-list 1 permit 111.2.4.112 0.0.0.31
Example 3
Given 3.2.128.0 subnet mask 255.255.192.0
255.255.255.255
- subnet mask 255.255.192. 0
Wildcard mask 0. 0. 63.255
Answer:
Access-list 1 permit 3.2.128.0 0.0.63.255
Example 4
Given 203.2.4.128 subnet mask 255.255.255.240
255.255.255.255
- subnet mask 255.255.255.240
Wildcard mask 0. 0. 0. 15
Answer:
Access-list 1 permit 203.2.4.128 0.0.0.15
THAT IT………….. COOL!
3. How to Match a range
(Works when the range is an entire subnet)
Match the range
157. 89. 16.0 – 157. 89. 31.255
To Find Wildcard Mask, Take the HIGHER minus the Lower:
157. 89. 31.255
-157. 89. 16. 0
wildcard 0. 0. 15.255
access-list 1 permit 157.89.16.0 0.0.15.255
Warning: Each non-zero value must be ONE LESS than a power of 2
(i.e. one of these:0,1,3,7,15,31,63,127,255
)
Match the range
157. 89. 16. 32 – 157. 89. 31. 63
To Find Wildcard Mask, Take the HIGHER minus the Lower:
157. 89. 31. 63
-157. 89. 16. 32
wildcard 0. 0. 15. 31
access-list 1 permit 157.89.16.32 0.0.15.31
Warning: Each non-zero value must be ONE LESS than a power of 2
(i.e. one of these:0,1,3,7,15,31,63,127,255
)
4. Matching everyone is easy:
Access-list 1 permit any
Or
Access-list 1 permit 0.0.0.0 255.255.255.255 | |
| Joe Dali 2004-02-28, 12:17 am |
| Access List Review
1. IP standard access lists use which of the following as a basis forpermitting or denying packets?
A. Source address B. Destination C. Protocol D. Port
2. IP extended access list use which of the following as a basis for permitting or denying packets?
A. Source address B. Destination address C. Protocol D. Port E. All of the above
3. To specify all hosts in the class B IP network 172.16.0.0, which wild card access list mask would you use?
A. 255.255.0.0 B. 255.255.255.0 C. 0.0.255.255 D. 0.255.255.255 E. 0.0.0.255
4. Which of the following are valid ways to refer only to host 172.16.30.55 in an IP access list?
A. 172.16.30.55 0.0.0.255 B. 172.16.30.55. 0.0.0.0 C. any 172.16.30.55 D. host 172.16.30.55 E. 0.0.0.0 172.16.30.55 F. ip any 172.16.30.55
5. Which of the following access lists will allow only WWW traffic into network 196.15.7.0?
A.access-list 100 permit tcp any 196.15.7.0 0.0.0.255 eq www B. access-list 10 deny tcp any 196.15.7.0 eq www C. access-list 100 permit 196.15.7.0 0.0.0.255 eq www D. access-list 10 permit tcp any 196.15.7.0 0.0.0.255 E. access-list 10 permit www 196.15.7.0 0.0.0.255
6. Which of the following will show which ports have IP access lists applied?A. show ip portB. show access-listC. show ip interfaceD. show access-list interfaceE. show running config
7. What is the IP extended list range?
A. 1-99 B. 200-299 C. 1000-1999 D. 100-199
8. Which of the following commands is valid for creating an extended IPaccess list?
A. access-list 101 permit ip host 172.16.30.0 any eq 21 B. access-list 101 permit tcp host 172.16.30.0 any eq 21 C. access-list 101 permit icmp 172.16.30.0 any ftp D. access-list 101 permit ip any eq 172.16.30.0 21
9. Which access configuration allows only traffic from network 172.16.0.0 to enter int s0?
A. access-list 10 permit 172.16.0.0 0.0.255.255, int s0, ip access-list10 inB. access-group 10 permit 172.16.0.0 0.0.255.255, int s0, ip access-list 10 outC. access-list 10 permit 172.16.0.0 0.0.255.255, int s0, ip access-group 10 inD. access-list 10 permit 172.16.0.0 0.0.255.255, int s0, ip access-group 10 out
10. In an IP access list, you want to refer to host 172.16.50.1. What maskwould you use to make the list as specific as possible?
A. 255.255.0.0B. 0.0.0.0C . 0.0.255.255 D. 0.255.255.255 | |
| dmaftei 2004-02-28, 11:18 am |
| quote:
Originally posted by Joe Dali
We all know the rules and seen the literature on how to do wild card masks:
You think so? Here's a problem for you:
Write an access list that matches only odd-numberes addresses on 192.168.1.0/24 (i.e., matches 192.169.1.1, 192.168.1.3, etc.) | |
| worrywarm 2004-02-28, 11:31 am |
| Good Summary!
Got answers for those questions? | |
| Joe Dali 2004-02-28, 12:45 pm |
| Just leading to the water, not offering a cup to drink out of ... I'm just sharng interesting stuff I'm finding as I continue my studies.
Pix boy is on his way to attach 501 to my cable network. Anyone have a PIX 501 config for use with broadband cable?
I'm gonna search now ...
Thanks
JoeDali | |
|
| quote:
You think so? Here's a problem for you:
Write an access list that matches only odd-numberes addresses on 192.168.1.0/24 (i.e., matches 192.169.1.1, 192.168.1.3, etc.)
My guess would be
access-list 10 permit 192.168.1.0 0.0.0.1
HOpe you don't mind my taking a stab at it. I am studying for CCNA. | |
| edmonds_robert 2004-02-28, 10:52 pm |
| quote:
Originally posted by dmaftei
Write an access list that matches only odd-numberes addresses on 192.168.1.0/24 (i.e., matches 192.169.1.1, 192.168.1.3, etc.)
How about 192.168.1.1 0.0.0.254? | |
| boyam 2004-02-28, 11:51 pm |
| quote:
How about 192.168.1.1 0.0.0.254?
I had to redo my math, but edmonds_robert, you are correct.
A little explanation here. In a wildcard mask, the least significant bits or the bits you don't care about will be represented by ones. Most significant bits or the bits you need to match will be represented by zero's. In this case, your bits in the last octect should be 11111110. That last zero tells you that there must be a 1 in this bit position to make this match true. The 1's in this octet mean you don't care or disregard these bit positions.
Thanks edmonds_robert for clearning me up. I hastily wrote my answer even though I knew what the bit placements meant.
Maybe this will help someone struggling with wildcard mask in access-list. |
|
|
|
|