Access Control List Help

Bakedgoods

Bakedgoods

Bakedgoods

Capodecina
Permabanned
Joined
31 Dec 2003
Posts
5,172
Location
Barrow-In-Furness
Just a quick check, i'm trying to deny traffic to a single address is this wildcard correct?

deny 172.30.0.1 0.0.0.254 out
 
I thought that at first and then decided to do the 254 for some reason.

If I did .254 it would just deny all addresses in the last octet that are odd?

I'll check the link out now thanks.
 
Cheers.

I really need to properly get my head round this, i've worked it out a few times then left it for too long before looking at it and I have to start again ha-ha ;D
 
Ok can you check another i've just made up now?

Trying to allow 172.16.16.0/21

allow 172.16.16.0 - 0.0.23.255

That should allow the entire subnet for 172.16.16.0 yeah?

I'm going to try find an ACL calculator that would help making sure i'm doing them correctly..
 
I'm not so sure that calculator is correct, it's giving me the same Wildcard mask if I try allow 172.16.16.24 or 172.16.56.0....

Actually it's giving ms the 0.0.7.255 wildcard mask for every address (Yeah I am clicking off so it refreshes)
 
I think i'm understanding what i've got wrong on my head.. i'll change the scenario and try come up with a couple of new ones, if you don't mind i'll post again in a few minutes....
 
Ok...

Subnet: 172.16.16.0/20
Mask: 255.255.240.0

allow 172.16.16.0 - 0.0.15.255

Your last post really helped thanks a lot. When I was trying to work out the wildcard I wasn't thinking about checking the bits for the hosts, I was trying to check the bits for the subnet for some reason, forgetting that you actually GIVE the subnet before your wildcard...

I was trying to do the same thing as stating the network does if you get me?

Now give me a minute i'll try break it down to specify a range of hosts lol
 
So if I want to allow 172.16.16.0 to 172.16.24.255, effectively allowing only the lower half of the subnet.. would the wildcard be....

0.0.31.255

OR

0.0.127.255

I came up with .31 first but it would allow other subnets too (or wouldn't it because of the first part of my statement which specifies the 172.16.16.0 subnetwork?)
 
I'm struggling to understand how you've got that 8, if you have the time and feel like being helpful could you draw something in paint or whatever (i'm massively visual person so I draw all of this out when i'm doing it....)
 
I understand how to get the wildcard for allowing an entire network.

I'm just struggling with splitting it up when trying to allow a range of hosts. I'll show you how I workout the wildcard and then maybe you'll be able to seeee
 
I'll upload a picture of the spreadsheet when I get home in about 30 minutes, it shows quite clearly how I go about working it out and how i've been laying things out to try workout the wildcard.

Cheers for the help so far :)
 
Well here's the image...

acl.jpg


And if you'd rather just have the spreadsheet it's here..

www.wildcut.co.uk/ACL.xls
 
Think I might have got this...

172.16.0.0/22 (255.255.252.0)

Allow first half of addresses in this subnet (so 172.16.20.0 to 172.16.22.127)

permit 172.16.20.0 0.0.2.127

?!?!?

Any joy?
 
The first line is just showing the network and subnet mask, that's all.... nothing to do with ranges or anything

Ahh that doesn make sense, I did think you couldn't have random ones thrown in but just went with iot anyways.

I think i've sussed this now.. i'll make up another random scenario and post it :)

----EDIT----

ARgghhh what the hell.

He got in there with a swift edit haha!
 
Last edited:
TrX said:
YES! Got it!
Sorry for the late reply, was busy last night/this morning.
What made it 'click'?

//TrX
Click to expand...

Not sure mate, your posts really did help.

I just drew it the octects out in binary in a table like I shown in that picture and excel spreadsheet.

Then I realised that it's the combination of the network address and the wildcard which determines the hosts. I was trying to do some kind of derranged thing with both of them.

I'll make one more to check...
 
Ok I went for a slightly more complicated one.

10.0.0.0/13 (255.248.0.0)

Allow range 10.16.0.0 to 10.20.255.127

Wildcard = 0.3.255.127??
 
TrX said:
Don't think so,
The range/netmask you have specified gives
10.0.0.0 - 10.7.255.255 addresses (network address 10.0.0.0, bcast 10.7.255.255)
with a full ACL mask of 0.7.255.255

So your allow range would be completely outside the range of the supernet itself.

//TrX
Click to expand...



Trying to allow 10.16.0.0/13 to 10.20.255.127/13

allow 10.16.0.0 - 0.4.255.127?
 
You must log in or register to reply here.
Back
Top Bottom