Access-list

Answered Question
Jun 16th, 2008

Hello,

Very basic question..which is throwing me off.

We never use this in Production environment. But when we have an access-list like following

access-list 1 permit 0.0.0.0 255.255.255.255

This means..we are allowing any host ( 0.0.0.0) and what is confusing me is 255.255.255.255.. ( Does this mean any subnet).

Usuallay in access-list we use inverse mask. so if it's /24 our statement would be something like this

access-list 1 permit 0.0.0.0 0.0.0.255 and this would translate to any host ( 0.0.0.0) with a subnet of /24.

But 0.0.0.0 255.255.255.255.. correct me if my understanding is correct. this would translate to any host with any subnet mask.

Thanks

I have this problem too.
0 votes
Correct Answer by hennigan about 8 years 7 months ago

The "inverse mask" used in access lists treats a "1" bit as "don't care". When you specify 255.255.255.255 you set all bits as "don't care" so any host is permitted. In fact, you could substitute any address at all for the 0.0.0.0 in your example, as all of the bits in the address will be ignored by the all-1s mask.

You could also specify

access-list 1 permit any

which is easier for humans to understand.

You can see how it works in the example of the /24 you listed. The first three octets of the mask are zeros so the first three octets must match the address specified. All of the bits in the last octet are 1 so whatever is in the last octet is "don't care" or ignored. The list

access-list 1 permit 1.2.3.0 0.0.0.255

will allow any host between 1.2.3.0 and 1.2.3.255. You could also write this as

access-list 1 permit 1.2.3.199 0.0.0.255

and have the same results as all bits in the last octet are "don't care", ignored.

Similarly, any address with a mask of 255.255.255.255 matches any.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
hennigan Mon, 06/16/2008 - 08:57

The "inverse mask" used in access lists treats a "1" bit as "don't care". When you specify 255.255.255.255 you set all bits as "don't care" so any host is permitted. In fact, you could substitute any address at all for the 0.0.0.0 in your example, as all of the bits in the address will be ignored by the all-1s mask.

You could also specify

access-list 1 permit any

which is easier for humans to understand.

You can see how it works in the example of the /24 you listed. The first three octets of the mask are zeros so the first three octets must match the address specified. All of the bits in the last octet are 1 so whatever is in the last octet is "don't care" or ignored. The list

access-list 1 permit 1.2.3.0 0.0.0.255

will allow any host between 1.2.3.0 and 1.2.3.255. You could also write this as

access-list 1 permit 1.2.3.199 0.0.0.255

and have the same results as all bits in the last octet are "don't care", ignored.

Similarly, any address with a mask of 255.255.255.255 matches any.

shassan655 Mon, 06/16/2008 - 09:05

Hello,

Thanks...alot...

Now it's clear

access-list 1 permit 0.0.0.0 255.255.255.255

= access-list 1 permit any...

Actions

This Discussion