Access Control List Help

Bakedgoods

Bakedgoods

Bakedgoods

Capodecina
Permabanned
Joined
31 Dec 2003
Posts
5,172
Location
Barrow-In-Furness
Just a quick check, i'm trying to deny traffic to a single address is this wildcard correct?

deny 172.30.0.1 0.0.0.254 out
 
I thought that at first and then decided to do the 254 for some reason.

If I did .254 it would just deny all addresses in the last octet that are odd?

I'll check the link out now thanks.
 
0.0.0.255 would allow 172.30.1.X (0 to 255)

0.0.0.254 would allow anything from 172.30.1.0 to 172.30.1.254 to be blocked. But would allow 172.30.1.255 (subnet broadcasts)

//TrX
 
Cheers.

I really need to properly get my head round this, i've worked it out a few times then left it for too long before looking at it and I have to start again ha-ha ;D
 
Know the feeling, certain things just don't stay in my head, but the cisco doc covers it pretty well.

//TrX
 
Ok can you check another i've just made up now?

Trying to allow 172.16.16.0/21

allow 172.16.16.0 - 0.0.23.255

That should allow the entire subnet for 172.16.16.0 yeah?

I'm going to try find an ACL calculator that would help making sure i'm doing them correctly..
 
Not quite, It dosn't work quite so literally in the third octet, as the mask is the number of bit's in that octect you care about.

Basically taking your netmask and subtracting by 255.255.255.255 will give you the wildcard 'inverse' ACL mask

so for 172.16.16.0/21 (172.16.16.0/255.255.248.0)
=
255.255.248.0
-
255.255.255.255
=
0.0.7.255

Which will allow the full supernet range:
172.16.16.0 - 172.16.23.255

Hope this helps.
And if you want to double check in future.. this tool is damn useful.
http://www.subnet-calculator.com/cidr.php
;)

//TrX
 
I'm not so sure that calculator is correct, it's giving me the same Wildcard mask if I try allow 172.16.16.24 or 172.16.56.0....

Actually it's giving ms the 0.0.7.255 wildcard mask for every address (Yeah I am clicking off so it refreshes)
 
That's because you are still looking at a 255.255.248.0 Supernet mask (/21) and so you will still need to be looking at the same number of bits in the third octet whether you using a 172.16.16.0 range
or a 172.16.56.0 range. (172.16.56.0 - 172.16.63.255).

It's still the 7 least significant bits of the third octet of the address you are using to define the hosts.

//TrX
 
Last edited:
I think i'm understanding what i've got wrong on my head.. i'll change the scenario and try come up with a couple of new ones, if you don't mind i'll post again in a few minutes....
 
Ok...

Subnet: 172.16.16.0/20
Mask: 255.255.240.0

allow 172.16.16.0 - 0.0.15.255

Your last post really helped thanks a lot. When I was trying to work out the wildcard I wasn't thinking about checking the bits for the hosts, I was trying to check the bits for the subnet for some reason, forgetting that you actually GIVE the subnet before your wildcard...

I was trying to do the same thing as stating the network does if you get me?

Now give me a minute i'll try break it down to specify a range of hosts lol
 
So if I want to allow 172.16.16.0 to 172.16.24.255, effectively allowing only the lower half of the subnet.. would the wildcard be....

0.0.31.255

OR

0.0.127.255

I came up with .31 first but it would allow other subnets too (or wouldn't it because of the first part of my statement which specifies the 172.16.16.0 subnetwork?)
 
That sounds much better :)
It clicks into place nicely once you get your head round what is happening.
nice one!

EDIT: Just noticed your second post above, gimme a sec

//TrX
 
Ok, on a /20 subnet (255.255.240.0) our standard all inclusive wildcard mask is 0.0.15.255
so, Best way to work it out would be to think about how many of those 3rd octect bits you need to get you upto .24 (instead of upto the full .31 on that supernet range)

You only need 8 bits to get from .16.x to .24.x instead of 15 bits to get from 16.x to .31.x on the full /20 subnet

So 0.0.8.255 should do the trick.

As I think the ACL bitmask is applied from the Most significant bit of your selection (which is the Least significant bits of the third octect in this case) and so applies 'up' the number line not down.
If you get me?
(if it applies the other way you will be allowing from 31.x to 24.x instead... but i'm pretty sure i'm right)
//TrX
 
I'm struggling to understand how you've got that 8, if you have the time and feel like being helpful could you draw something in paint or whatever (i'm massively visual person so I draw all of this out when i'm doing it....)
 
Let me try and cook something up, though I am probably going to be awful at explaining this visually, it's the kindof stuff that just makes sence in your head and nowhere else :P

//TrX
 
I sympathize with you are I am somewhat a practical/visual learner too, however I really cannot think of a good way of visually representing this.

I think they key is to understand how the binary representations of the subnet masks interact with the IP address to create an address space, after this, the Cisco doc on ACL's and my examples should make a lot more sence.

It may be worth reading this:
http://www.firewall.cx/supernetting-intro.php
As it has a couple of diagrams.

Hope this helps.
If you still have questions feel free to ask me, if anyone else can think of a good way of representing this graphically...

BigRedShark? are you around? any ideas?


//TrX
 
You must log in or register to reply here.
Back
Top Bottom