Jul 9th, 2008

Consider the following ACL statement,

access-list 101 permit ip 202.160.13.10 0.12.80.0 any

unlike to many other ACLs,this doesnt follow the subnet sequence (e.g.access-list 40 deny 192.168.20.16 0.0.0.15).

So what do you think the above mentioned ACL statement mean? I mean which source addresses would be allowed in the above mentioned ACL ?

Thanks

I did it in my head, so my explanation will be a bit intuitive and unrigorous. OK, looking at the mask and breaking it down to bits:

12 = 0000 1100 = 8+4

80 = 0101 0000 = 64+16

So, y is 160 plus any combination of 4 and 8, i.e. 160, (160+4), (160+8), (160+8+4)

Similarly, x is 13, plus any combination of 16 and 64, i.e. 13, (13+16), (13+64), (13+64+16)

But first I checked that 160 did not have the 4 bit or the 8 bit set, otherwise the statement would have got modified as you type it in.

Similarly, I checked that 13 did not have the 16 bit or the 64 bit set.

Kevin Dorrell

Luxembourg

Overall Rating: 5 (1 ratings)

## Replies

Kevin Dorrell Wed, 07/09/2008 - 00:49

Either this is a mistake, or it was designed by someone who is very clever at access lists. ;-)

It allows 202.x.y.10, where:

x = 160, 164, 168, 172

y = 13, 29, 77, 93

I hope I got that right, but I'm sure someone will check my working.

Kevin Dorrell

Luxembourg

hassaan_st Wed, 07/09/2008 - 00:53

well it wasnt a mistake for sure ...

regards

Kevin Dorrell Wed, 07/09/2008 - 01:10

I did it in my head, so my explanation will be a bit intuitive and unrigorous. OK, looking at the mask and breaking it down to bits:

12 = 0000 1100 = 8+4

80 = 0101 0000 = 64+16

So, y is 160 plus any combination of 4 and 8, i.e. 160, (160+4), (160+8), (160+8+4)

Similarly, x is 13, plus any combination of 16 and 64, i.e. 13, (13+16), (13+64), (13+64+16)

But first I checked that 160 did not have the 4 bit or the 8 bit set, otherwise the statement would have got modified as you type it in.

Similarly, I checked that 13 did not have the 16 bit or the 64 bit set.

Kevin Dorrell

Luxembourg

tomredmond Wed, 07/09/2008 - 01:14

I agree with Kevin's working, the wildcard works in binary and when written in binary where there is a 1 then a 1 or a 0 is allowed in the equivalent bit position in the IP address. Where there is a zero it has to be an exact match. Thus if you turn 12 and 80 into binary bit patterns, match them against corresponding binary addresses positions the allowable positions are those given by kevin.

sdoremus33 Wed, 07/09/2008 - 19:18

Thanks alot for your reply Kevin I have a better understanding of ACL's now, so am I correct in assuming from the earlier problem

Ex : 202.20.20.13 0.12.80.0

That obviously 202, and 13 remain, however

20 is at .12

Meaning that

12 = 0000 1100 = 8 8+4

and

20 is at .80

80 = 1100 0000 = 84 64+16

combination of

202.20.20.13

202.28.84.13

202.32.100.13