Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
4
Replies

access-list

Go to solution
mahesh18
Level 6
Level 6

‎06-18-2008 11:58 AM - edited ‎03-05-2019 11:42 PM

we have extended access-list to meet the

following requirement

Allow IP packets sourced from a host with address 172.16.10.1 destined for subnet 170.170.10.0 255.255.255.0.

Deny any other IP packets that are destined for the same destination subnet of 170.170.10.0.

Permit all other IP packets.

One access list that meets these requirements follows:

access-list 101 permit ip 172.16.10.1 0.0.0.0 170.170.10.0 0.0.0.255

access-list 101 deny ip 0.0.0.0 255.255.255.255 170.170.10.0 0.0.0.255

access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

can someone explain we why on access-list

2 we have 0.0.0.0 for source IP and

255.255.255.255 for wildcard mask

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-18-2008 12:44 PM

Mahesh

With an inverse mask used in IOS access-list 255 means "don't care" or to put it another way 255 can match anything.

0.0.0.0 as an IP address means it can match any address.

So your second and third lines in your acl could be written

access-list 101 deny ip any 170.170.10.0 0.0.0.255

access-list 101 permit ip any any

which is a lot more straightforward IMHO.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-18-2008 12:44 PM

Mahesh

With an inverse mask used in IOS access-list 255 means "don't care" or to put it another way 255 can match anything.

0.0.0.0 as an IP address means it can match any address.

So your second and third lines in your acl could be written

access-list 101 deny ip any 170.170.10.0 0.0.0.255

access-list 101 permit ip any any

which is a lot more straightforward IMHO.

Jon

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jon Marshall

‎06-20-2008 09:45 AM

Hi jon

thanks once again

Mahesh

0 Helpful

Go to solution
hennigan
Level 1
Level 1

‎06-18-2008 03:30 PM

The wildcard masks are shown in longhand. a 1 bit is "don't care" and a 0 bit is "must match". So the first line match of 0.0.0.0 means every bit must match host 172.16.10.1 and the 255.255.255.255 mask on the second and third lines meand that all of the bits are "don't care" so anything will be matched.

An easier way to write this would be:

access-list 101 permit ip host 172.16.10.1 170.170.10.0 0.0.0.255

access-list 101 deny ip any 170.170.10.0 0.0.0.255

access-list 101 permit ip any any

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to hennigan

‎06-20-2008 09:44 AM

Hi Hennigan

thanks for your Reply

Mahesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card