We all know the rules and seen the literature on how to do wild card masks:
The 32 bit wildcard mask consists of 1’s and 0’s
1 = ignore this bit
0 = check this bit
Yada, yada, yada………



BUT MOST OF THE TIME WE WANT TO DO ONE OF THESE THREE THINGS:

1. MATCH A HOST

2. MATCH AN ENTIRE SUBNET

3. MATCH A RANGE
or
4. MATCH EVERYONE

Here are the easy ways to do that




1. How to match an individual host

All wildcard mask bits are zero’s

For Standard Access-list

Access-list 1 permit 157.89.8.9 0.0.0.0

Access-list 1 permit 157.89.8.9 (standard access lists assume a 0.0.0.0 mask)

For Extended Access-lists

Access-list 101 permit ip 157.89.8.9 0.0.0.0 any

Access-list 101 permit ip host 157.89.8.9 any




2. How to match an Entire Subnet

Wildcard mask = 255.255.255.255 – subnet mask



Example 1

Given 3.2.4.0 subnet mask 255.255.255.0

255.255.255.255

- subnet mask 255.255.255. 0

Wildcard mask 0. 0. 0.255

Answer:

Access-list 1 permit 3.2.4.0 0.0.0.255





Example 2

Given 111.2.4.112 subnet mask 255.255.255.224

255.255.255.255

- subnet mask 255.255.255.224

Wildcard mask 0. 0. 0. 31

Answer:

Access-list 1 permit 111.2.4.112 0.0.0.31





Example 3

Given 3.2.128.0 subnet mask 255.255.192.0

255.255.255.255

- subnet mask 255.255.192. 0

Wildcard mask 0. 0. 63.255

Answer:

Access-list 1 permit 3.2.128.0 0.0.63.255





Example 4

Given 203.2.4.128 subnet mask 255.255.255.240

255.255.255.255

- subnet mask 255.255.255.240

Wildcard mask 0. 0. 0. 15

Answer:

Access-list 1 permit 203.2.4.128 0.0.0.15



THAT IT………….. COOL!




3. How to Match a range

(Works when the range is an entire subnet)

Match the range

157. 89. 16.0 – 157. 89. 31.255

To Find Wildcard Mask, Take the HIGHER minus the Lower:

157. 89. 31.255

-157. 89. 16. 0

wildcard 0. 0. 15.255



access-list 1 permit 157.89.16.0 0.0.15.255

Warning: Each non-zero value must be ONE LESS than a power of 2

(i.e. one of these:0,1,3,7,15,31,63,127,255
)



Match the range

157. 89. 16. 32 – 157. 89. 31. 63

To Find Wildcard Mask, Take the HIGHER minus the Lower:

157. 89. 31. 63

-157. 89. 16. 32

wildcard 0. 0. 15. 31



access-list 1 permit 157.89.16.32 0.0.15.31

Warning: Each non-zero value must be ONE LESS than a power of 2

(i.e. one of these:0,1,3,7,15,31,63,127,255
)



4. Matching everyone is easy:



Access-list 1 permit any

Or

Access-list 1 permit 0.0.0.0 255.255.255.255

Report this post to a moderator

Access List Review

1. IP standard access lists use which of the following as a basis forpermitting or denying packets?

A. Source address B. Destination C. Protocol D. Port

2. IP extended access list use which of the following as a basis for permitting or denying packets?

A. Source address B. Destination address C. Protocol D. Port E. All of the above

3. To specify all hosts in the class B IP network 172.16.0.0, which wild card access list mask would you use?

A. 255.255.0.0 B. 255.255.255.0 C. 0.0.255.255 D. 0.255.255.255 E. 0.0.0.255

4. Which of the following are valid ways to refer only to host 172.16.30.55 in an IP access list?

A. 172.16.30.55 0.0.0.255 B. 172.16.30.55. 0.0.0.0 C. any 172.16.30.55 D. host 172.16.30.55 E. 0.0.0.0 172.16.30.55 F. ip any 172.16.30.55

5. Which of the following access lists will allow only WWW traffic into network 196.15.7.0?

A.access-list 100 permit tcp any 196.15.7.0 0.0.0.255 eq www B. access-list 10 deny tcp any 196.15.7.0 eq www C. access-list 100 permit 196.15.7.0 0.0.0.255 eq www D. access-list 10 permit tcp any 196.15.7.0 0.0.0.255 E. access-list 10 permit www 196.15.7.0 0.0.0.255

6. Which of the following will show which ports have IP access lists applied?A. show ip portB. show access-listC. show ip interfaceD. show access-list interfaceE. show running config

7. What is the IP extended list range?
A. 1-99 B. 200-299 C. 1000-1999 D. 100-199

8. Which of the following commands is valid for creating an extended IPaccess list?
A. access-list 101 permit ip host 172.16.30.0 any eq 21 B. access-list 101 permit tcp host 172.16.30.0 any eq 21 C. access-list 101 permit icmp 172.16.30.0 any ftp D. access-list 101 permit ip any eq 172.16.30.0 21

9. Which access configuration allows only traffic from network 172.16.0.0 to enter int s0?

A. access-list 10 permit 172.16.0.0 0.0.255.255, int s0, ip access-list10 inB. access-group 10 permit 172.16.0.0 0.0.255.255, int s0, ip access-list 10 outC. access-list 10 permit 172.16.0.0 0.0.255.255, int s0, ip access-group 10 inD. access-list 10 permit 172.16.0.0 0.0.255.255, int s0, ip access-group 10 out

10. In an IP access list, you want to refer to host 172.16.50.1. What maskwould you use to make the list as specific as possible?

A. 255.255.0.0B. 0.0.0.0C . 0.0.255.255 D. 0.255.255.255

Report this post to a moderator

quote:

---

Originally posted by Joe Dali
We all know the rules and seen the literature on how to do wild card masks:

---

__________________
BSEE, MSCS
www.maftei.net

Report this post to a moderator

Good Summary!
Got answers for those questions?

Report this post to a moderator

Just leading to the water, not offering a cup to drink out of ... I'm just sharng interesting stuff I'm finding as I continue my studies.

Pix boy is on his way to attach 501 to my cable network. Anyone have a PIX 501 config for use with broadband cable?

I'm gonna search now ...

Thanks

JoeDali

Report this post to a moderator

quote:

---

You think so? Here's a problem for you:

Write an access list that matches only odd-numberes addresses on 192.168.1.0/24 (i.e., matches 192.169.1.1, 192.168.1.3, etc.)

---

__________________
Boyam

Report this post to a moderator

quote:

---

Originally posted by dmaftei

Write an access list that matches only odd-numberes addresses on 192.168.1.0/24 (i.e., matches 192.169.1.1, 192.168.1.3, etc.)

---

__________________
Save the animals. Eat a vegetarian.

Report this post to a moderator

quote:

---

How about 192.168.1.1 0.0.0.254?

---

__________________
Boyam

Report this post to a moderator