cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
671
Views
0
Helpful
6
Replies

Wild Card Masks ....

hassaan_st
Level 1
Level 1

Consider the following ACL statement,

access-list 101 permit ip 202.160.13.10 0.12.80.0 any

unlike to many other ACLs,this doesnt follow the subnet sequence (e.g.access-list 40 deny 192.168.20.16 0.0.0.15).

So what do you think the above mentioned ACL statement mean? I mean which source addresses would be allowed in the above mentioned ACL ?

Thanks

1 Accepted Solution

Accepted Solutions

Kevin Dorrell
Level 10
Level 10

I did it in my head, so my explanation will be a bit intuitive and unrigorous. OK, looking at the mask and breaking it down to bits:

12 = 0000 1100 = 8+4

80 = 0101 0000 = 64+16

So, y is 160 plus any combination of 4 and 8, i.e. 160, (160+4), (160+8), (160+8+4)

Similarly, x is 13, plus any combination of 16 and 64, i.e. 13, (13+16), (13+64), (13+64+16)

But first I checked that 160 did not have the 4 bit or the 8 bit set, otherwise the statement would have got modified as you type it in.

Similarly, I checked that 13 did not have the 16 bit or the 64 bit set.

Kevin Dorrell

Luxembourg

View solution in original post

6 Replies 6

Kevin Dorrell
Level 10
Level 10

Either this is a mistake, or it was designed by someone who is very clever at access lists. ;-)

It allows 202.x.y.10, where:

x = 160, 164, 168, 172

y = 13, 29, 77, 93

I hope I got that right, but I'm sure someone will check my working.

Kevin Dorrell

Luxembourg

well it wasnt a mistake for sure ...

thanks for your reply Kevin, but could you please explain your working?

regards

Kevin Dorrell
Level 10
Level 10

I did it in my head, so my explanation will be a bit intuitive and unrigorous. OK, looking at the mask and breaking it down to bits:

12 = 0000 1100 = 8+4

80 = 0101 0000 = 64+16

So, y is 160 plus any combination of 4 and 8, i.e. 160, (160+4), (160+8), (160+8+4)

Similarly, x is 13, plus any combination of 16 and 64, i.e. 13, (13+16), (13+64), (13+64+16)

But first I checked that 160 did not have the 4 bit or the 8 bit set, otherwise the statement would have got modified as you type it in.

Similarly, I checked that 13 did not have the 16 bit or the 64 bit set.

Kevin Dorrell

Luxembourg

tomredmond
Level 1
Level 1

I agree with Kevin's working, the wildcard works in binary and when written in binary where there is a 1 then a 1 or a 0 is allowed in the equivalent bit position in the IP address. Where there is a zero it has to be an exact match. Thus if you turn 12 and 80 into binary bit patterns, match them against corresponding binary addresses positions the allowable positions are those given by kevin.

Thanks a lot

:)

Thanks alot for your reply Kevin I have a better understanding of ACL's now, so am I correct in assuming from the earlier problem

Ex : 202.20.20.13 0.12.80.0

That obviously 202, and 13 remain, however

20 is at .12

Meaning that

12 = 0000 1100 = 8 8+4

and

20 is at .80

80 = 1100 0000 = 84 64+16

combination of

202.20.20.13

202.28.84.13

202.32.100.13

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: