Solved: wildcard mask and acl question

dannan lin · ‎06-26-2012

hi:

i would like to know if i can use the wildcard mask to filter the certain networks.

for example:

192.168.0.0/30

192.168.0.4/30

192.168.0.8/30

192.168.0.12/30

if i only want to block 192.168.0.8 and 192/168.0.12/30 networks, without writting two acls ,can i simplu use wildcard mask to filter the matching bits?

00000000

00000100

00001000

00001100

i have tried but it seemed i could not do this by using wildcard mask. can anyone kindly explain why ?

much appreciated.

smehrnia · ‎06-26-2012

Hi dannan,

it is kinda important what you put as the Reference IP and of course the proper wildcard. because the wildcard is matched against the IP u put there.

in your case in order to filter .8 and .12 (lets do the binary):

12 = 00001100

8 = 00001000

now you have to choose the permanent bits for ur application and variable ones. resualt: 00000100.

and you have to use is with: ip: 192.168.0.8 - wildcard: 0.0.0.4

plz Rate if it helped,

Soroush.

Hope it Helps!

Soroush.

View solution in original post

Richard Burts · ‎06-26-2012

OK. Both Soroush and I mis-understood what you are trying to accomplish. We understood your question to be about how to block the network ID. And we both came up with the same solution/same mask which would block those network IDs. But your explanation here makes it clear that you want to block the hosts within those networks. So the mask calculation that we suggested was not correct for your purposes. To block the hosts of those two networks try an access that looks like this:

Standard IP access list 1

deny 192.168.0.8 0.0.0.7

Give that a try and let us know how it works.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎06-26-2012

This should be possible. Perhaps you can post what you tried.

The key is to remember that in the mask the 0 bit shows a bit position that must match and a 1 bit is a bit that does not have to match. When you look at the binary for 8 and 12 there is one bit that varies and all the others are the same. So all the bits but one will be 0. Try using the mask 00000100. It should match 8 and 12 and nothing else.

HTH

Rick

HTH

Rick

dannan lin · ‎06-26-2012

hi Richard：

thanks for your help. i have tried your method but it seemed something was wrong with my configuration.

here is my scenario.

i wanted to block traffic from

192.168.0.14/30 and 192.168.0.10/30 to reach R1 which is 10.10.10.11/24

my access-list :

Router(config)#do show acce

Standard IP access list 1

deny 192.168.0.8 0.0.0.4

permit any (8 match(es))

I applied the access-list on f1/0 of R0 :

interface FastEthernet1/0

ip address 10.10.10.10 255.255.255.0

ip access-group 1 out

duplex auto

speed auto

if i used 192.168.0.8 with wildcard 0.0.0.3 , i would block all traffic from 192.168.0.8 /30 network but if i used 192.168.0.8 with wildcard bit 0.0.0.4 ,the access-list did not block any traffic. i wonder why ???

thanks for your help.

Richard Burts · ‎06-26-2012

OK. Both Soroush and I mis-understood what you are trying to accomplish. We understood your question to be about how to block the network ID. And we both came up with the same solution/same mask which would block those network IDs. But your explanation here makes it clear that you want to block the hosts within those networks. So the mask calculation that we suggested was not correct for your purposes. To block the hosts of those two networks try an access that looks like this:

Standard IP access list 1

deny 192.168.0.8 0.0.0.7

Give that a try and let us know how it works.

HTH

Rick

HTH

Rick

smehrnia · ‎06-26-2012

Hi dannan,

it is kinda important what you put as the Reference IP and of course the proper wildcard. because the wildcard is matched against the IP u put there.

in your case in order to filter .8 and .12 (lets do the binary):

12 = 00001100

8 = 00001000

now you have to choose the permanent bits for ur application and variable ones. resualt: 00000100.

and you have to use is with: ip: 192.168.0.8 - wildcard: 0.0.0.4

plz Rate if it helped,

Soroush.

Hope it Helps!

Soroush.

dannan lin · ‎06-26-2012

hi soroushm:

thanks for your reply, but i have tried to use 192.168.0.8 with wildcard 0.0.0.4 but , it did not work as expected.

my access-list :

Router(config)#do show acce

Standard IP access list 1

deny 192.168.0.8 0.0.0.4

permit any (8 match(es))

I applied the access-list on f1/0 of R0 :

interface FastEthernet1/0

ip address 10.10.10.10 255.255.255.0

ip access-group 1 out

duplex auto

speed auto

i have no idea what went wrong , please help me out here, sorry for being a newbie.

thanks.

smehrnia · ‎06-26-2012

Just like what Rick pointed out, we didnt account for the lower 2 bits (host IDs) in your /30 addressing scheme try Ricks n see if it works! wildcard 0.0.0.7

CheerZ

Soroush.

Hope it Helps!

Soroush.

dannan lin · ‎06-27-2012

thank you guys.your helps are much appreciated.