Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACL and Wildcard Confusion!

Hi..

I thought I knew this stuff, but now am unsure! :(

If someone could let me know if I'm on the right track and/or provide insight, it would be appreciated.

I created the following extended ACL:

access-list 105 deny ip 172.16.0.0 0.31.255.255 any

access-list 105 permit ip any any

The net effect I want is to allow all traffic except 172.[16-31].*.*. I know the wildcard is a calculation of bits, but am now unsure if I've done this correctly.

Can anyone shed some light and/or post the correct command? Also, I'm interested in a link to a "wildcard mask calculation" URL if anyone has one handy.

Thanks very much!

Darren.

dbroder@capcollege.bc.ca

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: ACL and Wildcard Confusion!

16 00010000

31 00011111

see, the first 4 bits are same, and last 4 bits are diffirent. so the net is 00010000, and the wildcard is 00001111

so your access-list should be

deny 172.16.0.0 0.15.255.255

permit ip any any

for practice, you can try,

192.168.1.0 2.0 3.0 to 10.0

then only filter the even or odd, or only 3.0,4.0,5.0

etc

9 REPLIES
Community Member

Re: ACL and Wildcard Confusion!

16 00010000

31 00011111

see, the first 4 bits are same, and last 4 bits are diffirent. so the net is 00010000, and the wildcard is 00001111

so your access-list should be

deny 172.16.0.0 0.15.255.255

permit ip any any

for practice, you can try,

192.168.1.0 2.0 3.0 to 10.0

then only filter the even or odd, or only 3.0,4.0,5.0

etc

Community Member

Re: ACL and Wildcard Confusion!

Thanks!

And to continue this thinking, if I wanted to deny 172.[0-31].*.*, I would use:

0 00000000

31 00011111

deny 172.0.0.0 0.31.255.255

..so my original post of:

deny 172.16.0.0 0.31.255.255

..is syntactically incorrect, as you would never have that combination.

I'm guessing that the real 'key' here is to figure out which bits in your range 'stay the same' and this is your network. And then sum up the bits that 'change' and that's your wildcard mask.

Darren

dbroder@capcollege.bc.ca

Community Member

Re: ACL and Wildcard Confusion!

I'd like to give you one more example.

from 172.16.0.0 to 172.31.0.0, only deny or permit 4 networks, they are

172.16.0.0

172.17.0.0

172.18.0.0

172.19.0.0

Do you know how to do that?

Please post your answer.

Cisco Employee

Re: ACL and Wildcard Confusion!

deny (or permit) 172.16.0.0 0.3.255.255 should do it.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Community Member

Re: ACL and Wildcard Confusion!

haha,

Hritter, why do you answer it?

Meanwhile, I guess some stupid guys thought out lots of tricky access-list, just like

123.85.23.0

45.29.134.0

86.132.29.0

......

(only example, maybe no answer)

and use minimum line

I think that is stupid.

in real network, no those networks, even has those network, and nobody use one or two lines to configure that.

haha

Cisco Employee

Re: ACL and Wildcard Confusion!

Just saw the question and didn't really read the whole thread ;o)

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Community Member

Re: ACL and Wildcard Confusion!

you are always online?

You gave me a lots of helps before, thanks

Cisco Employee

Re: ACL and Wildcard Confusion!

I spend too much time online. I have no life ;o)

Always a pleasure to help.

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Community Member

Re: ACL and Wildcard Confusion!

For me, I bought a good LCD monitor, the best mouse and best keyboard, then is ready to surf.

right now, my second finger of my right hand is always shaking, i have to use my left hand. and my back is sour. that is a part of ccie preparation.

in my opinion, online is a part of life too. but just treat yourself better, don't stare the screen all day

for me, no life online now. it is really difficult to prepare it.

Thanks again.

226
Views
0
Helpful
9
Replies
CreatePlease to create content