I am studying for the CCNA and I am having trouble understanding access list wild card masks. The main thing I am having trouble with is this. Dose the first IP address have to start with a block number (4,8,16,32,64) or can it start with any number? Example: 192.168.16.0 0.0.3.255 (with block number) Range 16-19 or 192.168.10.0 0.0.3.255 (with any number) Range 10-13
I do not see why the number needs to be a block number.
Thanks in advance,
Alan
It doesn't. You may compare against any IP address in the ACL. For purposes of ACL processing, the IP address is just a string of 32 bits, and nothing more. The wildcard is also just a string of bits. A "1" in each bit position of the wildcard mask indicates that that position is "wild" for purposes of comparing the address--in other words, the address in the ACL and the address in the packet being examined do NOT need to match in that bit. A "0" in each bit of the mask indicates that that bit is NOT wild--it must match.
What you ARE missing out on, is clearly understanding that the actual operations in the router are performed in BINARY, and how that affects the numbers you use. Even though you write the config using dotted-decimal notation, the actual addresses being processed are 32-bit binary values. From your second example, here are your matching address and wildcard mask:
11000000 10101000 00001010 00000000 (192.168.10.0) 00000000 00000000 00000011 11111111 (0.0.3.255)Take a look at the third octet. Note that the decimal value of "ten" is represented as "1010" in binary. (That's 8+2) The binary value for "three" is "11" (2+1). The mask clips off the "2" bit in the ten, rendering it insignificant and leaving only the "8" bit. Addresses that will actually match this ACL are:
11000000 10101000 00001010 00000000 match address 00000000 00000000 00000011 11111111 wildcard mask 11000000 10101000 00001000 ???????? 192.168.8.x 11000000 10101000 00001001 ???????? 192.168.9.x 11000000 10101000 00001010 ???????? 192.168.10.x 11000000 10101000 00001011 ???????? 192.168.11.xIf you really need to use an ACL to select out a range of addresses from ten to thirteen, then you need to use several lines of code in your ACL:
192.168.10.0 0.0.1.255 (This gets ten and eleven.) 192.168.12.0 0.0.1.255 (This gets twelve and thirteen.)Unfortunately, this makes your ACLs longer and more cumbersome, and doubles the amount of time it takes the router to actually process them. For this reason, it is usually preferable to design your network's address space up-front in such a way that address regions you may want to differentiate between will fall on a bit boundary. Because individual networks are defined by only a single network address and subnet mask, this also means that actual subnet definitions MUST fall on a bit boundary.
Dotted-decimal notation makes configurations easy to read, and makes it possible for us to speak, write and easily memorize IP addresses and masks. Never make the mistake, however, of believing you are actually working with decimal numbers. You are not. The IP address space is a binary universe, and all routers operate using binary operations based on bitwise boolean logic. Think everything thru in binary, and just use the decimal notation as a shorthand.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.