1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Another ACL question

Discussion in 'General Cisco Certifications' started by Headache, Mar 9, 2007.

  1. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    I came across this question recently and I've been trying to figure out the answer without much success.


    Access-list 1 deny 172.26.192.0 0.0.31.254

    Identify the host ip that this ACL applies to.



    Any ideas ?
     
    Certifications: CCNA
    WIP: CCNP
  2. NetEyeBall

    NetEyeBall Kilobyte Poster

    279
    10
    45
    I am going to test it out...results will be posted shortly.
     
    Certifications: CCNA, A+, N+, MCSE 4.0, CCA
    WIP: CCDA, CCNP, Cisco Firewall
  3. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    Not sure, but I think they're asking us to identify one single host, not the entire range.

    I think.

    EDIT: No. I think you're right. They're asking for the range. But why is the question worded like that ?
     
    Certifications: CCNA
    WIP: CCNP
  4. NetEyeBall

    NetEyeBall Kilobyte Poster

    279
    10
    45
    I am having issues. I set up my network, and the ACL.

    Router3
    access-list 1 deny 172.26.192.0 0.0.31.254
    access-list 1 permit any

    But I haven't set up my actual hosts on the network. I did an extended ping with the source address from my Router 1. But I always would get a response even when the ip address was in the range of the mask. Except when I didn't add a permit statement and the implicit deny denied all traffic.

    I even broke down and checked it with a wildcard mask generator since I started to get confused after a bit.

    The generator indicates that the 3rd octet of the mask matches 0-31 and the 4th octet matches every even ip address in the range.

    Still thinking on this...and still confused...
     
    Certifications: CCNA, A+, N+, MCSE 4.0, CCA
    WIP: CCDA, CCNP, Cisco Firewall
  5. NetEyeBall

    NetEyeBall Kilobyte Poster

    279
    10
    45
    If they wanted one single host they wouldn't need a wild card mask. Or if they wanted one then they could have a mask of 0.0.0.0 which means match all the bits exactly.

    So they definately want some sort of range...but what...and why don't my configs work. Arg..still thinking...
     
    Certifications: CCNA, A+, N+, MCSE 4.0, CCA
    WIP: CCDA, CCNP, Cisco Firewall
  6. NetEyeBall

    NetEyeBall Kilobyte Poster

    279
    10
    45
    Ok. This is a worthless ACL. I HOPE this wasn't in a text book.

    In any event...

    This acl is saying that I want to block the following:

    1st octet: 172
    2nd octet: 26
    3rd octet: 192 - 223
    4th octet: Anyone that doesn't have the last bit set to ON. (In effect blocking every even IP Address)

    For example:

    150.140.1.1 pings fine since doesn't match the deny statement and is permited by the permit any.

    172.26.224.1 is fine since he doesn't match the deny statement in the 3rd octet (or the 4th octet). He hits the 1st ACL statement and passes to the 2nd which is a permit all so his request is sent on to be completed. (He does match it in the 1st and 2nd octet just for clarity).

    172.26.224.1 in bianary looks like this:

    1010 1100 | 0001 1010 | 1110 0000 | 0000 0001

    comparing to ACL

    1010 1100 | 0001 1010 | 1100 0000 | 0000 0000

    through

    1010 1100 | 0001 1010 | 1101 1111 | 1111 1110

    172.26.223.2 is blocked because he matches the 1st, 2nd, 3rd octet AND the 4th octet rule and his ICMP Echo Request hits the 1st ACL rule (the deny statment) and is dropped to the bit bucket.

    One last example:

    172.26.223.1 is allowed because while he matches the 1st, 2nd, AND 3rd octet qulification, he DOESN'T match the last octet since his last bit is turned on. So he is passed to the 2nd ACL rule and since it is a permit any rule..his request is sent on to be completed.


    I had to use a Wildcard Mask Calc and use my labs to verify this question. I didn't save the output, but if you really want the output I will reconfigure everything and can post it.

    Remember with ACLs it has to be an exact match to be pounced on by the rule otherwise it sends it on to the next rule and so on until it either matches a rule exactly or is either dropped due to an implicit deny or permit all statement. With the wildcard mask, the rule looks at a series of bit patterns to match which normally creates a range, but in this case a strange pattern.

    Hope this helps!!!
     
    Certifications: CCNA, A+, N+, MCSE 4.0, CCA
    WIP: CCDA, CCNP, Cisco Firewall
  7. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    Sorry, NetEyeball. Had to go out for a while and run a few errands.

    Yeah, I have to agree with you. It definitely looks like a crap ACL. I got it from an old bootcamp tutorial that belongs to my friend. When I saw the question, I just couldn't figure out what they were asking. Now thanks to you, it's clear that somebody screwed up.

    Sorry for putting you through so much hassle.
     
    Certifications: CCNA
    WIP: CCNP
  8. NetEyeBall

    NetEyeBall Kilobyte Poster

    279
    10
    45
    no worries! It helped me understand acls that much better.
     
    Certifications: CCNA, A+, N+, MCSE 4.0, CCA
    WIP: CCDA, CCNP, Cisco Firewall
  9. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    Headache,

    Let's digitize the IP address and the Wildcard Mask.

    1. Titles
      • IP Address
      • Wildcard Mask
    2. Decimal
      • 172.26.192.0
      • 0.0.31.254
    3. Decimal to Binary Conversion
      • 10101100.00011010.11000000.00000000
      • 00000000.00000000.00011111.11111110
    4. Apply the Wildcard Mask
      • 10101100.00011010.11000000.00000000

    So what does this mean? It means that the ACL will match any IP address that falls within the following range:
    1. Binary
      • 10101100.00011010.11000000.00000010
      • 10101100.00011010.11011111.11111110
    2. Binary to Decimal Conversion
      • 172.26.192.2
      • 172.26.223.254

    That's because the Wildcard Mask will IGNORE the 2nd through the 14th bits in the IP address.

    On a side note, I think the question should have been...

    Access-list 1 deny 172.26.192.1 0.0.31.254

    That way, the single host that would have been matched would have been 172.26.192.1 because the binary of the last octet for .1 decimal is .00000001 which would have sneaked past the Wildcard Mask hole of .254 or .11111110 .
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  10. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    Big thanx r.h.lee.

    That actually makes a lot of sense.

    When I first saw the question, I kept asking myself: the host ip ? the host ip ? What are they talking about ? If they'd asked for the range, I probably might have been a little less confused, not that that would have made the question any less wrong.

    In any case, I shall endeavor to study this thread in more detail later in order to further my understanding of ACLs.

    Big thanx also to NetEyeBall for his assistance.
     
    Certifications: CCNA
    WIP: CCNP
  11. muckyfingers

    muckyfingers New Member

    4
    2
    4
    the way I read the question seems to apply to all the even numbers between the 192-223.


    Access-list 1 deny 172.26.192.0 0.0.31.254

    172.26.192.0= 10101100.00011010.11000000.00000000
    0.0.31.254 = 00000000.00000000.00011111.11111110

    0=must match
    1= I dont care

    which concludes that: 1st octet=172 2nd octet=26 3rd octet=match 1st 3 bits (range=192-223) 4th octet= match only last bit (any number with last binary bit that is 0 is an even number)

    so this acl is only concerned with numbers that have the last binary bit as a zero(0)

    just my opinion,
     
  12. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    Certifications: CCNA
    WIP: CCNP

Share This Page

Loading...