Comments on: How do I compute complex wildcard masks for access-lists? http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/ Helping you become a Cisco Certified Internetwork Expert Fri, 05 Sep 2008 15:02:42 +0000 http://wordpress.org/?v=2.5.1 By: Phil http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/#comment-6650 Phil Mon, 25 Aug 2008 18:01:35 +0000 http://blog.internetworkexpert.com/?p=7#comment-6650 Hi I read the article from Brian McGahan under http://www.internetworkexpert.com/resources/01700370.htm I can not follow his wildcard calculation (xor part) in the 2nd example. The calculation is xor of 00001010 00000000 00000000 00000000 00001010 00000100 00000000 00000000 00001010 00100000 00000000 00000000 00001010 00100100 00000000 00000000 00000000 00100100 00000000 00000000 (his result) 00000000 00000000 00000000 00000000 (my result) Why does 1 xor 1 become 1 in his calculation? Any help or insight highly appreciated. cheers Hi

I read the article from Brian McGahan under http://www.internetworkexpert.com/resources/01700370.htm

I can not follow his wildcard calculation (xor part) in the 2nd example. The calculation is

xor of

00001010 00000000 00000000 00000000
00001010 00000100 00000000 00000000
00001010 00100000 00000000 00000000
00001010 00100100 00000000 00000000

00000000 00100100 00000000 00000000 (his result)

00000000 00000000 00000000 00000000 (my result)

Why does 1 xor 1 become 1 in his calculation?

Any help or insight highly appreciated.

cheers

]]> By: Harmik http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/#comment-4521 Harmik Sun, 20 Jul 2008 01:21:47 +0000 http://blog.internetworkexpert.com/?p=7#comment-4521 Thanks All I just figured out how to do all this deny ip 192.168.1.0 0.0.0.255 any deny ip 192.168.3.0 0.0.252.255 any deny ip any 192.168.1.0 0.0.0.255 deny ip any 192.168.3.0 0.0.252.255 permit ip 192.168.0.0 0.0.0.255 any permit ip 192.168.2.0 0.0.0.255 any ======its working for me now.... good news.... Thanks All

I just figured out how to do all this

deny ip 192.168.1.0 0.0.0.255 any
deny ip 192.168.3.0 0.0.252.255 any
deny ip any 192.168.1.0 0.0.0.255
deny ip any 192.168.3.0 0.0.252.255
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any

======its working for me now….

good news….

]]> By: Harmik http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/#comment-4520 Harmik Sun, 20 Jul 2008 01:00:48 +0000 http://blog.internetworkexpert.com/?p=7#comment-4520 Hi All I am new to this configuring cisco router. the scenario is, I want to use access list. In ACL, I want to permit only ip range 192.168.0.0 - 192.168.0.255 192.168.2.0 - 192.168.2.255 and deny the following deny 192.168.1.0 - 192.168.1.255 deny 192.168.3.0 - 192.168.255.255 Hi All

I am new to this configuring cisco router. the scenario is, I want to use access list.

In ACL, I want to permit only ip range 192.168.0.0 - 192.168.0.255
192.168.2.0 - 192.168.2.255

and deny the following

deny 192.168.1.0 - 192.168.1.255
deny 192.168.3.0 - 192.168.255.255

]]> By: Brian McGahan, CCIE #8593 http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/#comment-3653 Brian McGahan, CCIE #8593 Wed, 25 Jun 2008 15:11:12 +0000 http://blog.internetworkexpert.com/?p=7#comment-3653 The point is just to show the binary logic of how the wildcard is derived. The practical implementation of this would be to aggregate multiple access list lines into a single statement in order to save processing power. Remember that for a traffic filter the router has to check each entry in a top down fashion until a match occurs. For example if you are doing "bogon" filtering, the access-list is best implemented as an aggregated list. You can see more information about this here: http://www.cymru.com/Documents/bogon-dd.html Look at Cisco ACL Aggregated and Cisco ACL Non-Aggregated The point is just to show the binary logic of how the wildcard is derived. The practical implementation of this would be to aggregate multiple access list lines into a single statement in order to save processing power. Remember that for a traffic filter the router has to check each entry in a top down fashion until a match occurs. For example if you are doing “bogon” filtering, the access-list is best implemented as an aggregated list. You can see more information about this here:

http://www.cymru.com/Documents/bogon-dd.html

Look at Cisco ACL Aggregated and Cisco ACL Non-Aggregated

]]> By: Steve Raymond http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/#comment-3633 Steve Raymond Mon, 23 Jun 2008 21:31:11 +0000 http://blog.internetworkexpert.com/?p=7#comment-3633 While this is interesting, what is a practical application of that broad an ACL? e.g., the example 8.20.20.8 34.10.10.34 covers any IP addresses starting with the 1st octet like: 8 9 10 11 12 13 14 15 24 25 26 27 28 29 30 31 40 41 And the 2nd & 3rd octet: 20 21 22 23 28 29 30 31 52 53 54 55 60 61 62 63 84 85 Don't get me wrong, I like the xor description and explanation. But I don't see where this would be useful in IOS ACLs? Thanks! While this is interesting, what is a practical application of that broad an ACL? e.g., the example 8.20.20.8 34.10.10.34 covers any IP addresses starting with the 1st octet like:
8
9
10
11
12
13
14
15
24
25
26
27
28
29
30
31
40
41

And the 2nd & 3rd octet:
20
21
22
23
28
29
30
31
52
53
54
55
60
61
62
63
84
85

Don’t get me wrong, I like the xor description and explanation. But I don’t see where this would be useful in IOS ACLs?

Thanks!

]]> By: Ziv http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/#comment-3622 Ziv Mon, 23 Jun 2008 08:48:03 +0000 http://blog.internetworkexpert.com/?p=7#comment-3622 I'm working with Cisco and ACLs for nearly 10 years and I'd never needed to calculate so complex wildcards, so I don't know, perhaps I've never met complex networks, but I think that if you're in need for so comlex wildcards it must have something to do with bad network designing... I’m working with Cisco and ACLs for nearly 10 years and I’d never needed to calculate so complex wildcards, so I don’t know, perhaps I’ve never met complex networks, but I think that if you’re in need for so comlex wildcards it must have something to do with bad network designing…

]]> By: George Roman http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/#comment-3477 George Roman Thu, 05 Jun 2008 17:51:19 +0000 http://blog.internetworkexpert.com/?p=7#comment-3477 One problem, As far as i now this "XOR" function is not the logical XOR when you try to compute more than 2 "inputs"(3 ips for example). In this last case the result of the XOR operation would be different (you would calculate xor between first 2 inputs and the result will come into play with the 3-rd input). So by the correct XOR logic the result of 3 IPs would not give you the correct wildcard mask. One problem,

As far as i now this “XOR” function is not the logical XOR when you try to compute more than 2 “inputs”(3 ips for example). In this last case the result of the XOR operation would be different (you would calculate xor between first 2 inputs and the result will come into play with the 3-rd input).
So by the correct XOR logic the result of 3 IPs would not give you the correct wildcard mask.

]]> By: trilok http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/#comment-1098 trilok Fri, 18 Apr 2008 12:19:03 +0000 http://blog.internetworkexpert.com/?p=7#comment-1098 I won't agree with the solution provided as to combine a pair of ip address with wild card mask the mandatory thing is only 1 bit has to vary while we compare that pair of addresses or else no way we can combine those IP addresses if they are are having more than 1 bit varying in between them. The range of IP addresses that an accesslist applies is purely based on number of 1's in the wild card mask. i.e range = 2^(number of 1's in the wild card mask) If its failing then it will apply to some other addresses apart from the desired one's I won’t agree with the solution provided as to combine a pair of ip address with wild card mask the mandatory thing is only 1 bit has to vary while we compare that pair of addresses or else no way we can combine those IP addresses if they are are having more than 1 bit varying in between them.

The range of IP addresses that an accesslist applies is purely based on number of 1’s in the wild card mask. i.e range = 2^(number of 1’s in the wild card mask)

If its failing then it will apply to some other addresses apart from the desired one’s

]]> By: D http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/#comment-1047 D Tue, 08 Apr 2008 14:26:35 +0000 http://blog.internetworkexpert.com/?p=7#comment-1047 Also you can use the calc in windows (scientific) AND/XOR function to compute the wild card masks. Also you can use the calc in windows (scientific) AND/XOR function to compute the wild card masks.

]]> By: Day 4 of Week 2 « Richard Bannister’s CCIE Blog http://blog.internetworkexpert.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/#comment-615 Day 4 of Week 2 « Richard Bannister’s CCIE Blog Thu, 06 Mar 2008 21:32:22 +0000 http://blog.internetworkexpert.com/?p=7#comment-615 [...] quite tedious so NAT added a bit of interest to it.  Another item that gained my interest is a post by Brian McGahan on the Internetwork Experts blog detailing how to work out the most specific match [...] [...] quite tedious so NAT added a bit of interest to it.  Another item that gained my interest is a post by Brian McGahan on the Internetwork Experts blog detailing how to work out the most specific match [...]

]]>