Access-list

Answered Question
Jun 16th, 2008
User Badges:

Hello,

Very basic question..which is throwing me off.


We never use this in Production environment. But when we have an access-list like following


access-list 1 permit 0.0.0.0 255.255.255.255


This means..we are allowing any host ( 0.0.0.0) and what is confusing me is 255.255.255.255.. ( Does this mean any subnet).


Usuallay in access-list we use inverse mask. so if it's /24 our statement would be something like this


access-list 1 permit 0.0.0.0 0.0.0.255 and this would translate to any host ( 0.0.0.0) with a subnet of /24.


But 0.0.0.0 255.255.255.255.. correct me if my understanding is correct. this would translate to any host with any subnet mask.


Thanks

Correct Answer by hennigan about 9 years 1 week ago

The "inverse mask" used in access lists treats a "1" bit as "don't care". When you specify 255.255.255.255 you set all bits as "don't care" so any host is permitted. In fact, you could substitute any address at all for the 0.0.0.0 in your example, as all of the bits in the address will be ignored by the all-1s mask.


You could also specify


access-list 1 permit any


which is easier for humans to understand.


You can see how it works in the example of the /24 you listed. The first three octets of the mask are zeros so the first three octets must match the address specified. All of the bits in the last octet are 1 so whatever is in the last octet is "don't care" or ignored. The list


access-list 1 permit 1.2.3.0 0.0.0.255


will allow any host between 1.2.3.0 and 1.2.3.255. You could also write this as


access-list 1 permit 1.2.3.199 0.0.0.255


and have the same results as all bits in the last octet are "don't care", ignored.


Similarly, any address with a mask of 255.255.255.255 matches any.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
hennigan Mon, 06/16/2008 - 08:57
User Badges:
  • Bronze, 100 points or more

The "inverse mask" used in access lists treats a "1" bit as "don't care". When you specify 255.255.255.255 you set all bits as "don't care" so any host is permitted. In fact, you could substitute any address at all for the 0.0.0.0 in your example, as all of the bits in the address will be ignored by the all-1s mask.


You could also specify


access-list 1 permit any


which is easier for humans to understand.


You can see how it works in the example of the /24 you listed. The first three octets of the mask are zeros so the first three octets must match the address specified. All of the bits in the last octet are 1 so whatever is in the last octet is "don't care" or ignored. The list


access-list 1 permit 1.2.3.0 0.0.0.255


will allow any host between 1.2.3.0 and 1.2.3.255. You could also write this as


access-list 1 permit 1.2.3.199 0.0.0.255


and have the same results as all bits in the last octet are "don't care", ignored.


Similarly, any address with a mask of 255.255.255.255 matches any.


shassan655 Mon, 06/16/2008 - 09:05
User Badges:

Hello,

Thanks...alot...


Now it's clear


access-list 1 permit 0.0.0.0 255.255.255.255


= access-list 1 permit any...



Actions

This Discussion