ACL and subnet mask

Unanswered Question
Sep 27th, 2007

Hello,

Do you know why Cisco keeps invert subnet masks (example: 10.0.0.0 0.0.0.255).

It would simpler and safer to use a number to define a mask (example: 255.0.0.0 - normal or 0.0.0.255 -invert => 8), no?

REgards

Pet

****************

http://www.openmaniak.com

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paul.matthews Thu, 09/27/2007 - 23:49

Because it is a wildcard, not a mask.

a mask must be contiguous, a wild card need not be. Using them opposite makes that a little less confusing.

I also suspect that when initially coding, it may have been more efficient somehow to use them this way round.

Paul.

peterjohnes1985 Sat, 09/29/2007 - 12:39

Thanks for your answer, i think it is more for a backward compatibily, to keep the same syntax on

all the IOSs.

For example, The Juniper and the vyatta routers use only a number for the mask (or the invert mask which only exist on Cisco)

Regards

Pet.

*********

http://openmaniak.com

paul.matthews Mon, 10/01/2007 - 00:05

Using a number for the wildcard on an ACL would either make it more difficult or very awkward to some creative stuff with ACLs.

Take a position where you have a VERY structured IP addressing scheme based on 10.0.0.0, and you use the middle two octets to signify where the network is, and what type of network.

Using the high half of the second octet is noth. low half south, and use use even numbers for private networks, and odd for public. The third octed being odd means it is a wireless network.

You want to permit private wireless in the south.

Thats 10.0xxxxxx0.xxxxxxx1.don't care

or acce 10 pe ip 10.0.1.0 0.129.1.255 simple all those condidtions in one line of an access list.

TBH I quite like it as it is, but I have been working with it for a number of years so am familiar. What this all means is that I can see that it is a mask, and that it is legit (mask must be contiguous so allowed values are 128 192 224 240 248 252 254 and 255) or that is is a wild card. The way it gets presented makes it obvious as well.

10.23.0.0 255.255.0.0 is *clearly* a mask.

0.0.23.46 255.255.0.0 is clearly a wild card, as the bits that are a 1 in the wild card are zero in the "address".

t may look confusing, but once you get the hang, it makes sense,

Paul.

Actions

This Discussion