issue with ACL configuration

Unanswered Question
Jun 29th, 2007

Hi!!


Although it could be a basic cuestion regarding to the ACLs configuration, we have and issue when made this:

access-list X permit 195.104.26.0 255.255.255.0


By error we put into the command line the normal or natural network mask (not the wildcard "inverse" mask).


The result on router is as follows:


access-list X permit 0.0.0.0 255.255.255.0


It is normal?


The intention here was permit the network 195.104.26.0 not "any" (first 3 octets).


Any idea??


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Fri, 06/29/2007 - 13:16

Pedro


You made a misconfiguration and the router did "exactly" what you told it to do. When you put the mask as 255.255.255.0 then the ACL determined that nothing in the first 3 octets must match. So even though you input the ACL with numbers in the first 3 octets the IOS determined that the appropriate value in the first 3 octets was 0, since the mask says that they do not matter. Then the 4th octet where your mask says that it does matter, you input with 0 in the 4th octet.


So I would say that yes it is "normal" the IOS followed its normal logic of how to interpret the mask of ACL and did exactly what you told it to do. Except that is not what you WANTED it to do. But it is what you told it to do.


HTH


Rick

PEDRO AGUIRRE Fri, 06/29/2007 - 14:41

Hello Rick


I agree with you, because this is what the Cisco theory says.


But I think that the IOS should send an "inconsistence message", because in reality is not correct this type of inverse mask (except the masks 255.255.255.255 [any] and 0.0.0.0 [host]).


No network have a subnetmask 0.0.0.255. According to the theory (again), the inverse mask comes from substraction of 255.255.255.255 minus the real mask.


Is for this last, I think the IOS

don?t should "decide" what to do.


This errors on mask and inverse masks could happend in operative areas when ACLs and static routes are requiered, and can impact seriously the network if we have "deny" ACLs, for example.


What do you think?


Thanks in advance


Pedro.

mohammedmahmoud Fri, 06/29/2007 - 22:47

Hi,


I actually disagree with you, as with ACL any possible wildcard is meaningful, i'll give you an example:


To match these networks in one ACL statement:


10.0.0.0/16

10.4.0.0/16

10.32.0.0/16

10.36.0.0/16


access-list 1 permit 10.0.0.0 0.36.0.0


Another example would be, to match all the odd IPs in this subnet "10.0.0.0/24":


access-list 1 permit 10.0.0.1 0.0.0.254 (last bit is always 1, thus the address is always odd)


So as you can see, there is nothing called inconsistent wildcard mask.


I hope that i've been informative.


HTH,

Mohammed Mahmoud.

Richard Burts Sat, 06/30/2007 - 18:12

Pedro


There is a difficult decision to determine whether the command line command that was input was a conceptual mistake or whether the person was attempting to accomplish some subtle distinction. Most of the time the IOS just accepts the configuration statement and that is what happened in your situation.


Every time that I am running Windows software and attempt to do something and Windows changes it (because it thinks that it knows better what is logical) I am reminded of the dangers of overriding the user input.


HTH


Rick

PEDRO AGUIRRE Sun, 07/01/2007 - 19:10

Hi Rick


Thanks for your time.


I only ask for any IOS "warning message", because I know the way to put a "dont care" bit on the network address, and believe me, in this case I didnt want that result. It was only a simple sintaxis error, but I never thought that IOS could change the three first octets!!.


In this particular case I wished IOS send me a "warning message" (like IOS do with a duplicated IP address on interface configuration).


What is the logical intention to put any number greater than zero on any address octet if on the wildcard mask octet by octet I put 255??


If as you says "most of the time the IOS accepts the configuration" , Its all right, but as I typed it or simply do not accept the command line.


What you think?


Do you think it could be a way to improve and to ensure the ACLs use?


There are some dangers on normal ACLs use and application, this "warning message" could be more safe the ACLs, beginning with a sintaxis validation.


Regards...

Actions

This Discussion