Access Control List Help

I understand how to get the wildcard for allowing an entire network.

I'm just struggling with splitting it up when trying to allow a range of hosts. I'll show you how I workout the wildcard and then maybe you'll be able to seeee
 
I'll upload a picture of the spreadsheet when I get home in about 30 minutes, it shows quite clearly how I go about working it out and how i've been laying things out to try workout the wildcard.

Cheers for the help so far :)
 
TrX said:
BigRedShark? are you around? any ideas?


//TrX
Click to expand...

I am but I'm little help on this one, it just kind of works in my head, partly I think I've just memorised everything from /32 down to /24 and use the principle that a /22 is a /30 less than a /24 (does that make any sense)

Essentially, a /30 wildcard is 0.0.0.3, a /24 is 0.0.0.255 and a /22 is a /30 less than a /24...so 0.0.3.255

I have no idea if that makes sense to anyone, it works really well for me though...
 
I get what you mean, i'm having the same problem trying to explain it as it's just something that your brain tells you 'Ahh, you need THIS then'.

Anyway, I will wait for wardie's upload on how he is working out a wildcard for half of a CIDR supernet, and see if i can spot anything.

//TrX
 
Well here's the image...

acl.jpg


And if you'd rather just have the spreadsheet it's here..

www.wildcut.co.uk/ACL.xls
 
Think I might have got this...

172.16.0.0/22 (255.255.252.0)

Allow first half of addresses in this subnet (so 172.16.20.0 to 172.16.22.127)

permit 172.16.20.0 0.0.2.127

?!?!?

Any joy?
 
EDIT: removed as i was wrong :D You can, it seems, have non contiguous ACL masks like 0.0.2.127 (0000 0010 . 0111 1111)
can anyone confirm this? Was always tought to have contiguous bits in the mask (ie: 0001 1111 NOT eg: 0010 0110)
 
Last edited:
Wardie said:
Think I might have got this...

172.16.0.0/22 (255.255.252.0)

Allow first half of addresses in this subnet (so 172.16.20.0 to 172.16.22.127)

permit 172.16.20.0 0.0.2.127

?!?!?

Any joy?
Click to expand...

YES! Got it!
Sorry for the late reply, was busy last night/this morning.
What made it 'click'?

//TrX
 
The first line is just showing the network and subnet mask, that's all.... nothing to do with ranges or anything

Ahh that doesn make sense, I did think you couldn't have random ones thrown in but just went with iot anyways.

I think i've sussed this now.. i'll make up another random scenario and post it :)

----EDIT----

ARgghhh what the hell.

He got in there with a swift edit haha!
 
Last edited:
TrX said:
YES! Got it!
Sorry for the late reply, was busy last night/this morning.
What made it 'click'?

//TrX
Click to expand...

Not sure mate, your posts really did help.

I just drew it the octects out in binary in a table like I shown in that picture and excel spreadsheet.

Then I realised that it's the combination of the network address and the wildcard which determines the hosts. I was trying to do some kind of derranged thing with both of them.

I'll make one more to check...
 
Ok I went for a slightly more complicated one.

10.0.0.0/13 (255.248.0.0)

Allow range 10.16.0.0 to 10.20.255.127

Wildcard = 0.3.255.127??
 
Wardie said:
Ok I went for a slightly more complicated one.

10.0.0.0/13 (255.248.0.0)

Allow range 10.16.0.0 to 10.20.255.127

Wildcard = 0.3.255.127??
Click to expand...

Don't think so,
The range/netmask you have specified gives
10.0.0.0 - 10.7.255.255 addresses (network address 10.0.0.0, bcast 10.7.255.255)
with a full ACL mask of 0.7.255.255

So your allow range would be completely outside the range of the supernet itself.

//TrX
 
Sorry to confuse Wardie, was just the way I got taught but that was many years back :D I've been looking more and it seems yes you can which makes it much more flexible
 
TrX said:
Don't think so,
The range/netmask you have specified gives
10.0.0.0 - 10.7.255.255 addresses (network address 10.0.0.0, bcast 10.7.255.255)
with a full ACL mask of 0.7.255.255

So your allow range would be completely outside the range of the supernet itself.

//TrX
Click to expand...



Trying to allow 10.16.0.0/13 to 10.20.255.127/13

allow 10.16.0.0 - 0.4.255.127?
 
Wardie said:
Trying to allow 10.16.0.0/13 to 10.20.255.127/13

allow 10.16.0.0 - 0.4.255.127?
Click to expand...

10.16.0.0/13 is:
10.16.0.0 - 10.23.255.255

so yes!
16 +4 = 20 for the 2nd octet, all of the third (255) and upto 127 for the last.

:)
 
Yeah the one earlier was a mistake and I was being retarded.

Thanks for the help you've helped me understand it and it seems like i'm getting there :]
 
You must log in or register to reply here.
Back
Top Bottom