ACL Problem...

Unanswered Question
Dec 12th, 2007

Hi Seniors, the following are two access-list statements, I wonder instead of using two statements, cannot we use only one as there is no other network, please help,,,,

access-list 130 permit tcp host eq www

access-list 130 permit tcp host eq www

When I answered this question, used the following statement

access-list 130 permit tcp any host eq www

Please guide me on this issue....Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
swmorris Thu, 12/13/2007 - 04:24

Look at the binary. Your differences are in the 3rd octet. We have the "CCNA/NP" version of an answer, and the "CCIE" version. :)

.5 = 00000101

.7 = 00000111

Diff ------^-

CCNA/NP Answer:

access-list 130 permit tcp host eq www

That will permit from .4 through .7 (tightest range there)

CCIE Answer:

access-list 130 permit tcp host eq www

There is only 1 bit of difference between '5' and '7' (in the 2-bit position). The router treats each bit independently as far as evaluation goes.

Binary like this can make your brain hurt though, which is why there are different answers depending on which certification you are going for! :)



[email protected]

Hi Scott

I'm only CCNA studying for CCNP so your first option is what I am used to, but can I just ask if you could use the CCIE option in your CCIE lab exam without being failed and also out in the real world without causing any issues? as it seems to go against everything that I have learnt so far.

Looking at the access list in the original post I looks like the subnets and are permitted so I am assuming that and are to be denied. So I would have written the access list as in the origninal post (a line for each subnet), UNLESS I was specifically asked to allow the .4.0 and .6.0 subnets also.

Best Regards,


swmorris Thu, 12/13/2007 - 06:03

With CCNA/NP, we are taught ACL's much like we are taught subnetting. There's a RANGE of addresses/networks that we are going to allow or deny. So it's like drawing a line in the bits saying everything on the left is staying the same, everything on the right can be whatever value it wants.

In the router's world of thinking (which is much what the CCIE lab is about), every bit can be treated individually. There are no drawbacks for the lab, or for real-life implementations. If you have ever heard of compiled or turbo ACLs, that's the type of binary thinking the router does for us (but doesn't show us for good reason!).

So the reason my NA/NP answer was different than the previous poster is that they used a mask, which would permit from .0 through and including the .7 subnet when we were only concerned with .5 and .7...

Even working on drawing that line (like a subnet) to include both .5 and .7 together in one line, you could use the .4 through .7 bit boundary ( and be stricter.

I'm always a big fan of not permitting more than I have to!

So even in NA/NP, you still need to be concerned with the different bit boundaries, you just don't need to reach that freaky-strange level that CCIEs do! Or, I should say, you CAN, but if you do your NA/NP tests will not agree with your answers.




[email protected]

LordFlasheart Thu, 12/13/2007 - 06:45

Well you learn something new every day. Thanks for that info, it may just come in useful.

May I ask - can you define any arbitrary block such as to and have the wildcard mask as



swmorris Thu, 12/13/2007 - 07:48

hehehe... So I've opened a can of worms here... (My apologies to those who hate binary!)

So in your example you have the .13 network and the .51 network.

13 = 00001101

51 = 00110011

The problem that we have is the number of bits that are different. Logically what we are doing is called XOR or exclusive or. It's easier to think about evaluating "what is the same" and "what is different" in the binary layout.

A 0-bit in a wildcard mask indicates that the bit will stay the same. A 1-bit indicates that you don't care what the value is.

So looking back up there, we end up with a mask of 00111110 if we use the XOR logic. That leads us to a mask of 62.

Now (perhaps getting ahead of things here) one check that we can do on our mask has to do with the number of 1-bits set. 2^x (where x = number of 1-bits) will tell us the number of matches that mask will give. Here there are 5 1-bits, so 2^5 = 32 matches.

While this will match our two entries, it will match many more as well (not cool).

Let me give an easier example to visualize. A mask of .3 will match four things. A mask of .5 will also match four things. In both, there are two bits set to the 1 value in the mask. That means we don't care what the values are for those bits.

So we can use 00, 01, 10 or 11 to fill in those bit positions (the four possible permutations).

So let's look at your math now. You came up with a mask of .39 for that octet. From a decimal perspective that makes sense (subtract 13 from 51 and you get 39), but in binary that doesn't work.

Since I'm pretty sure you reverse-engineered that from my earlier example, let me tell you a little secret....

The subtraction method ONLY works when your result is an exponent of 2. So if you subtract the two numbers and the answer is 128, 64, 32, 16, 8, 4, or 2 then there is only one bit of difference and that is also the bit and mask value. Sometimes if your answer is 1 this is true, but it's also possible you are over a bit boundary (e.g. 3 & 4 it's not true).

Initially though, stick with the binary method of looking at things and this will begin to make more sense.

If it takes a while, don't feel bad. Every week, I still have CCIE candidates staring at me like I have three heads when we go over this stuff! (Really, I only have one)



[email protected]

Hi Scott

Now my brain is offically fried :)

Is this stuff covered in the Wendell Odom or Jeff Doyle CCIE books?

I would like to understand this better. Even though I am only an NP candidate at present.

I would have come up with a wildcard mask of as there are 39 subnets covered within the range of 13.0 to 51.0 and so far in my NP studies the wildcard mask is always 1 less then the number of subnets.

I dislike the way our studies make us believe something as gospel only to trash that belief when we progress further with our studies. I wish they would just give it to us straight from the start.

Best Regards,


swmorris Thu, 12/13/2007 - 10:03

heheheh... Sorry on the brain part. :)

No, nobody's book really covers this kind of thinking, and likely for a good reason.

The binary that a router does is not critical to making subnets, which is where you start out.

In a subnet (assigned to an interface) we cannot get creative like this. So the books are all accurate. Bits either represent the network or the host, that's it. And there's a line.

In an ACL when starting out, you are only setting things up to filter based on a network, so the EASIEST thing is to apply the logic that you did to a subnet.

After having a firm grasp of this, then it becomes a little easier to have a paradigm shift. So no worries about accepting the gospels early on!

How would you have reacted to long division in second grade? It's related to addition, kinda. it's all the same numbering system. :)

Some things are better learned in stages! And even looking at your logic to get 38 (the -2 only applies to hosts by the way when counting them as network/broadcast addresses). But we still have to draw the lines at bit boundaries which would have made a .63 mask to cover both sides!

My apologies on taking this one too far. I tend to answer a lot of questions on CCIE forums and that's most of the training I do, so that initially is where my mind is at. The initial question I (mistakenly) assumed was looking for that kind of direct binary answer.

Hang on to the drawing lines right now. It really is not a bad thing! Understanding the basics is highly underrated, but incredibly important!

(As a side note, making ACLs the way that I do serves no "good" purpose other than a level of understanding and a cool way to mess with your friend's heads!)



tahir1234 Thu, 12/13/2007 - 15:46

Thanks Scott for this great help. I am clear on acl topic.

Scott ,as being the new in networking field, I have a question , might be a stupid one,but...

"if one device can communicate through MAC with other device, why layer-3 addressing ??"

Thanks again for guidence......

swmorris Thu, 12/13/2007 - 17:16
tahir1234 Fri, 12/14/2007 - 15:54

hi scott, everytime i read some article on acl for solving tricky questions on masking for ccna level i get lost...can you please shed some more light on this topic with reference to ccna level and with some good examples. yesterday i encounter a problem,like for four engineers an org.has four stations whose ips are there are two eng.server using ips & engineers use three tcp applications between their workstations and the server:telnet,FTP,and X windows.the goal is to write some acl entries that will match these applications from the engineering workstations to the engineering servers. I think we can write 40 entries(4*2*5), but scott write down some easy way? always help us in learning techonology,,

tahir1234 Fri, 12/14/2007 - 17:07

a "broadcast message" to everyone preparing for ccna exam, please there is no substitute of hands-on exp;spend as much time on actual routers as you can, so don't try to memorize things, ccna is not a cheeting, it is a real test...good luck to all....the heardest thing for me is "access list" in ccna, if somebody have good material on this topic please send....thanks....

swmorris Fri, 12/14/2007 - 17:07

At the CCNA level, you are only concerned with things that you can group together (e.g. in numerical order). That would be 4, 5, 6, 7.

4 = 00000100

5 = 00000101

6 = 00000110

7 = 00000111

Notice that the first 6 bits are the same. That that helps us draw our line. (the last two bits can vary)

163 = 10100011

179 = 10110011

Now, technically, there is only one bit of difference between these two, but IMHO at CCNA level, nobody cares.

So I would write:

acl 101 permit tcp host eq (each protocol)

acl 101 permit tcp host eq (each protocol)

As you move up in ranks, you'd look at:

acl 101 permit tcp eq (each protocol)

One step at a time though! Concentrate on the bundles that are grouped like a subnet rather than the oddball things!

But visually, this is all easier if you work in binary. Use Windows Calculator to help you in the translations as necessary!


tahir1234 Fri, 12/14/2007 - 19:40

Scott explaination is extremely helpful, but acl is getting harder for me...can you help in solving this problem (i am feeling bad for asking questions again and again..sorry)..

Problem: I have three lab routers


Toronto s0=

Montrial s0=

Montrial s1=

Sudney s1=

all routers are running eigrp and are connected. I placed extended acl on Sudney s1 on in bound to restrict telnet both from Toronto & Montrial in the following way

acl 110 deny tcp host eq telnet

acl 110 permit ip any any

int s1,,ip access-group 110 in

--->Toronto telnet is denied but Montrial is not denied ,,why? I tried in serverl ways but nothing...Please scott guide me..thanks

swmorris Fri, 12/14/2007 - 21:11

The answer to that has nothing to do with access-lists! It has to do with how your router is thinking. :)

Montreal has a directly connected link to Sydney. If you went over to Sydney and did "debug ip packet" (hopefully this is a lab, don't do this in production!) you'd see the incoming packets being sourced from, NOT from Therefore it would match the second line of your ACL, the permit.

You could use "ip telnet source s0" to change how things are sourced there, but by default your router will source packets from the nearest outbound interface's IP address.



[email protected]

PS. Vast collection of useless knowledge. :)


This Discussion