access-list issue

Unanswered Question

Hi,

We know access-list 12 permit 192.89.55.0 255.255.255.0

is invalid, because the wildcard is wrong.

My problem is that the router did not give you any error message when type it in the router, instead it changed to access-list 12 permit 0.0.0.255 255.255.255.0 and added in the router. this cause a lot of problem because some of the network address is passed the filter.

Is it the bug in Cisco IOS?

R7>sh ver

Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-JK9O3S-M), Version 12.3(12), RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2004 by cisco Systems, Inc.

Compiled Mon 29-Nov-04 15:39 by kellythw

Image text-base: 0x80008098, data-base: 0x81FB49F0

ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)

ROM: C2600 Software (C2600-JK9O3S-M), Version 12.3(12), RELEASE SOFTWARE (fc3)

R7 uptime is 3 days, 19 hours, 46 minutes

System returned to ROM by reload

System image file is "flash:c2600-jk9o3s-mz.123-12.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

[email protected].

cisco 2621XM (MPC860P) processor (revision 0x100) with 94208K/4096K bytes of memory.

Processor board ID JAE07330L5V (761626841)

M860 processor: part number 5, mask 2

Bridging software.

X.25 software, Version 3.0.0.

SuperLAT software (copyright 1990 by Meridian Technology Corp).

TN3270 Emulation software.

2 FastEthernet/IEEE 802.3 interface(s)

1 Serial network interface(s)

32K bytes of non-volatile configuration memory.

32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

R7>

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Mon, 02/26/2007 - 14:46

It's not a bug in the IOS. 0.0.0.255 255.255.255.0 is a valid access list statement in which the router doesn't care about the first 3 octets. Any traffic from .255 is the only traffic that will be permitted. Though, in your case, it's a broadcast address and cannot be used. There can be many situations where someone entering a subnet mask by mistake in an ACL could translate to a valid/useful access control entry. Hence, the router always translates the ACE to the right address/wild card mask.

It's easy to make a typo or an unintentional error when configuring access list. After configuring an ACL, I always double check my work by doing a 'show access-list (#)' and verify that it's configured the way I want it to be.

HTH

Sundar

deilert Mon, 02/26/2007 - 16:27

Kevin the router is interpreting the wildcard mask just as it was put in

192.89.55.0 255.255.255.0 = ingnore first octet, ingnore second octet, ingnore third octet and match the last octet of the ip address, hence the 0.0.0.255

Actions

This Discussion