06-18-2008 11:58 AM - edited 03-05-2019 11:42 PM
we have extended access-list to meet the
following requirement
Allow IP packets sourced from a host with address 172.16.10.1 destined for subnet 170.170.10.0 255.255.255.0.
Deny any other IP packets that are destined for the same destination subnet of 170.170.10.0.
Permit all other IP packets.
One access list that meets these requirements follows:
access-list 101 permit ip 172.16.10.1 0.0.0.0 170.170.10.0 0.0.0.255
access-list 101 deny ip 0.0.0.0 255.255.255.255 170.170.10.0 0.0.0.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
can someone explain we why on access-list
2 we have 0.0.0.0 for source IP and
255.255.255.255 for wildcard mask
Solved! Go to Solution.
06-18-2008 12:44 PM
Mahesh
With an inverse mask used in IOS access-list 255 means "don't care" or to put it another way 255 can match anything.
0.0.0.0 as an IP address means it can match any address.
So your second and third lines in your acl could be written
access-list 101 deny ip any 170.170.10.0 0.0.0.255
access-list 101 permit ip any any
which is a lot more straightforward IMHO.
Jon
06-18-2008 12:44 PM
Mahesh
With an inverse mask used in IOS access-list 255 means "don't care" or to put it another way 255 can match anything.
0.0.0.0 as an IP address means it can match any address.
So your second and third lines in your acl could be written
access-list 101 deny ip any 170.170.10.0 0.0.0.255
access-list 101 permit ip any any
which is a lot more straightforward IMHO.
Jon
06-20-2008 09:45 AM
Hi jon
thanks once again
Mahesh
06-18-2008 03:30 PM
The wildcard masks are shown in longhand. a 1 bit is "don't care" and a 0 bit is "must match". So the first line match of 0.0.0.0 means every bit must match host 172.16.10.1 and the 255.255.255.255 mask on the second and third lines meand that all of the bits are "don't care" so anything will be matched.
An easier way to write this would be:
access-list 101 permit ip host 172.16.10.1 170.170.10.0 0.0.0.255
access-list 101 deny ip any 170.170.10.0 0.0.0.255
access-list 101 permit ip any any
06-20-2008 09:44 AM
Hi Hennigan
thanks for your Reply
Mahesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: