phải post lại HIHIHIHI

chào mọi người.
Tôi có cách tính wildcard mask như sau xin mọi người cho ý kiến.
Ví dụ ta tính WC cho dãy địa chỉ sau.
192.168.1.19 - 192.168.1.99
+ lấy 99-19=80
+ Theo tôi được biết WC bao giờ cũng la dạng (2 mũ n)-1. Nên ta phân tích 80 ra thành các thành phần có dạng (2 mũ n)-1
cụ thể : 80 = (64-1) + (16-1) + (2-1) + (2-1).

vì vậy ta có WC như sau
192.168.1.19 0.0.0.63
192.168.1.82 0.0.0.15
192.168.1.98 0.0.0.1

Xin các bác cho ý kiến.

thấy ko ổn rồi :mad:
- 192.168.1.19 với wc: 0.0.0.63 tức là phải kiểm tra hết trừ 6 bits cuối "bỏ qua", như vậy dãi địa chỉ match là: 192.168.1.0 - 192.168.1.63 thôi.
- 192.168.1.82 với wc: 0.0.0.15 tức là phải kiểm tra hết trừ 4 bits cuối "bỏ qua", như vậy dãi địa chỉ match là: 192.168.1.80 - 192.168.95 thôi.
- 192.168.1.98 với wc: 0.0.0.1 tức là phải kiểm tra hết trừ bit cuối cùng "bỏ qua", như vậy 2 địa chỉ match là: 192.168.1.98 & 192.168.1.99

Và cho dù có cộng hết 3 dãi địa chỉ trên vô thì cũng vẫn sót khoảng địa chỉ: 192.168.1.64 - 192.168.1.79, 192.168.1.96 - 192.168.1.97. Như vậy là không đáp ứng được dãi 192.168.1.19 - 192.168.1.99 rồi, chưa kể là ta đã "quá tay", vì yêu cầu chỉ lọc từ .19 - 99 mà ta lại để cho lọt qua luôn khoảng địa chỉ từ .1 - .18 rồi :cool:

Mình mới đọc cái Ebook này thấy hay hay copy paste lên cho mọi người đọc chơi !

Wildcard Masks
One of the most difficult components to grasp with ACLs is the wildcard mask. Wildcard masks are used to match on a range of IP addresses in a condition. For example, imagine that you want to allow a device to access any address in 192.168.1.0/24. One approach is to have 254 permit statements for these addresses: 192.168.1.1 through 192.168.1.254. This takes a lot of time to configure and places an extra burden on the router to process all of these statements. Instead, the Cisco IOS uses a feature called wildcard masks. Wildcard masks enable you to match on a range of addresses in a single condition, such as 192.168.1.0/24. A wildcard mask can match on all 256 of these addresses.

The greatest confusion involving wildcard masks concerns how they are configured to match on a range of addresses. Like IP addresses and subnet masks, wildcard masks are 32 bits in length. When comparing a wildcard mask to a subnet mask, however, the bit values used in both (0 and 1) mean different things. Table 6-2 compares the bit values in subnet and wildcard masks and tells what they represent.

Table 6-2. Wildcard and Subnet Mask Values Mask
Binary 1
Binary 0

Subnet mask
A bit in the corresponding address is a network component.
A bit in the corresponding address is a host component.

Wildcard mask
A bit in the corresponding condition address is ignored.
A bit in the corresponding condition address must match.





NOTE

With standard IP ACLs, the wildcard mask is optional. If you omit it, the wildcard mask defaults to 0.0.0.0. With extended IP ACLs, the wildcard mask is required for both the source and destination addresses.



Converting a Subnet Mask to a Wildcard Mask
Probably the best way to look at a wildcard mask is to compare it to an inverted subnet mask. For example, say that you want to match on network 192.168.1.0/24. This network is a subnet mask of 255.255.255.0. To invert this mask, flip all the 1 bits to 0s and all the 0 bits to 1s. This results in twenty-four 0 bits and eight 1 bits, or 0.0.0.255. Therefore, to match on all addresses in network 192.168.1.0/24, you would use a wildcard mask of 0.0.0.255.

TIP

I have developed a quick trick to perform the conversion process from subnet mask to wildcard mask. First, write down the subnet mask in dotted decimal. Subtract each octet from 255, resulting in the corresponding wildcard mask value for that octet.



Take a look at some examples of performing the conversion. In the first example, I want to figure out the wildcard mask that will match on any packet. In IP, the default network (any address) is 0.0.0.0/0, resulting in a subnet mask of 0.0.0.0. When performing the conversion, the resulting wildcard mask for all address is 255.255.255.255 (subtract each subnet mask octet from 255). To match on any address, you would use an IP address of 0.0.0.0 and a wildcard mask of 255.255.255.255. Like a subnet mask, the context of the wildcard mask is based on the address associated with the mask.

TIP

When configuring an ACL condition and specifying a source address and a wildcard mask that will match on any address, you can either use 0.0.0.0 255.255.255.255 or the keyword any. Both mean the same thing.



In this example, I want to match on one specific address, 192.168.1.1. In subnetting, to represent a single address, you use a /32 (255.255.255.255) mask. To convert this to a wildcard mask, subtract each subnet mask octet from 255. This results in a wildcard mask of 0.0.0.0. Therefore, to match on this specific address, you would use 192.168.1.1 0.0.0.0 in your condition.

TIP

When configuring an ACL condition and specifying a source address and a wildcard mask that will match on a specific address, such as 192.168.1.1, you can use either 192.168.1.1 0.0.0.0 or the keyword host followed by the host address (host 192.168.1.1). Both mean the same thing.



In this third example, I want to create a wildcard mask that will match this range of address: 192.168.1.16/28 (255.255.255.240). To convert this to a wildcard mask, subtract each subnet mask octet from 255, resulting in a wildcard mask of 0.0.0.15. Therefore, to match on 192.168.1.16/28 addresses, you would use the following in your condition: 192.168.1.16 0.0.0.15. As you can see, using this simple trick makes converting subnet masks to wildcard masks an easy process.

NOTE

Unlike subnet masks, wildcard masks support discontiguous 1s and 0s, which enables you to match on a range of values with a specific octet, such as any packet that has a number of 0 to 7 in the third octet.



In this last illustration, I use an example that you might see on a CCIE Routing and Switching or Security written or lab exams. In this example, you are given the following network: 172.16.0.0/16. In this network, you want to match on the first address in each subnet, where the subnet mask is /24. You do not care about the subnet number; you care only about the first address in every subnet, such as 172.16.0.1, 172.16.1.1, 172.16.2.1, and so on. Given these requirements, what kind of address and wildcard mask would you use for your condition? Given the requirements, the address must begin with 172.16. Therefore, the first two octets in the wildcard mask are 0.0. You do not care about the subnet number in the third octet, so the wildcard mask is 255 here. But you do care about the last octet. You want to match on the first address (.1), resulting in a 0 in the fourth octet of the wildcard mask. Therefore, the resulting address and wildcard mask in the condition would be 172.16.0.1 0.0.255.0.

One interesting point to make about this partial condition is that 172.16.0.1 0.0.255.0 and 172.16.1.1 0.0.255.0 mean the same thing. Remember that the wildcard mask specifies that you do not care what is in the third octet; anything matches in this octet. Therefore, it does not matter what number you put here in the address part of the condition. This can be useful if you use the same address in a subnet for a particular type of device, such as a router, and want to match on these addresses. Of course, the example I gave here was simple; CCIEs would be expected to configure something much harder than this.

NOTE

One item to point out is that the Cisco IOS converts any value in an address to 0 if the corresponding wildcard mask value in the octet is 255. For example, if you specified 172.16.1.1 0.0.255.0, the Cisco IOS would change this to 172.16.0.1 0.0.255.0. Note that when the Cisco IOS performs matching, it ignores all values in the third octet. Cisco uses this process to remove any ambiguity about command configuration.



Wildcard Mask Mistakes
Because of the complexities of wildcard masks, many people make mistakes when configuring the wildcard mask for the address or range of addresses that they want to match on. Here are some common mistakes:

192.168.1.0 255.255.255.0 matches on any packet with any values in the first three octets and a 0 in the last octet. Remember that the mask that you put in is a wildcard mask, not a subnet mask!

192.168.1.1 255.255.255.255 matches on any address. The wildcard mask says to match on all addresses and ignores what you put in for the IP address (192.168.1.1).

192.168.1.0 0.0.0.0 matches on any packet that has an address of 192.168.1.0, which is a network number. Actually, if you see an address like this in a packet, it is a spoofing attack. Probably what the administrator meant to use as a wildcard mask was 0.0.0.255, which is any address in the 192.168.1.0/24 network.

cách đơn giản nhất để bạn tính được wildcard mask đó là lấy 255.255.255.255 - subnet mask
ví dụ :
+ IP add của bạn là 10.0.0.1/255.0.0.0 => wildcard mask là 255.255.255.255 - 255.0.0.0 = 0.255.255.255
+ subnet mask là 255.255.0.0 => wildcard mask là 255.255.255.255 - 255.255.0.0 = 0.0.255.255
+ Như trong ví dụ của bạn, IP Add của bạn là 192.168.4.0/255.255.252.0 bạn lấy 255.255.255.255 - 255.255.252.0 = 0.0.3.255
Chúc bạn thành công !!!

Nguyên tắc 255.255.255.255 - subnet mask liệu có còn phù hợp.

Bác chả hiểu gì cả.

cac ha doc them tai lieu CCNA2 la ro ngay thoi ma

Híc,mỗi bác có 1 cách tính chẳng biết nên theo bác nào.

cách tính như của bạn BigBom84 là chính xác rồi:

có 2 giá trị:

+ subnet mask
+ wildcard mask

=> muốn tính giá trị nào (wildcard mask, hay subnet mask), thì chỉ cần lấy 255.255.255.255 trừ đi giá trị wildcard hay subnet sẽ được giá trị cần tìm cho địa chỉ mạng đó.

Chào !!!
Nhân đây tặng mọi người bài tập làm chơi :
Tạo một Access-list cấm tất cả các máy có Ip chẳng của mạng 172.16.5.0/24 truy cập internet port 80

Chúc mọi người vui !!!

link nay down roi ban oi.ban co link nao khac ko?chi minh voi!!!

Mình làm thế này, mọi người cùng bàn luận nhé
access-list 100 deny tcp 172.16.5.0 0.0.0.254 any eq 80
access-list 100 permit any any
access-group 100 in


Mong trao đổi thêm với các bạn

Chính xác 100% hê hê

Wildcard mask có được bằng cách lấy SM mặc định là 255.255.255.255 trừ đi SM của mạng con
như ví dụ trên
mạng 192.168.4.0 -7.0 la 0.0.3.255
từ .4.0-.7.0 đều là mạng con có SM là /22
để biết được điều này thì bài toán sẽ cho bạn đầy đủ thông tin để tính SM. Nếu không cho thì mặc định theo lớp
Ta có 255.255.255.255
-
255.255.252.0 (chính là SM/22) (không biết cái này thì ngỉ đi)
= 0.0.3.255
Chỉ có vậy !!!
Có gì càn liên hệ vào mail anh
maimaimottinhyeu_hatinh_dh1987@yahoo.com