access-list

Unanswered Question
Sep 5th, 2008

hi friends,

Need a clarification.If an access-list has been created with out any wild card mask , the mask defaults to 0.0.0.0

so what will happen to the below access-lists.

permit ip 10.1.0.0

permit ip 10.0.1.0

permit ip 192.168.0.0

permit ip 172.16.0.0

im seeing some matches on these access-lists ,how can these lists can be matched when there is no specific?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
singhsaju Fri, 09/05/2008 - 06:42

Hello,

It may be matching the route entries in the routing table.

How and where are using this access-list?

Richard Burts Fri, 09/05/2008 - 06:46

Rajeev

You start with a very valid observation that the default mask is 0.0.0.0, which indicates an exact match. So your access list is equivalent to:

permit ip 10.1.0.0 0.0.0.0

permit ip 10.0.1.0 0.0.0.0

permit ip 192.168.0.0 0.0.0.0

permit ip 172.16.0.0 0.0.0.0

So the first 2 lines could legitimately be host addresses and the last 2 lines would be network addresses. You have not told us how the access list is used, so we do not know yet whether host matches are legitimate (access list applied with access-group to filter packets on an interface) or whether network matches are legitimate (access list applied in a distribute list to control routing updates). But either pair of lines could legitimately match against some things.

HTH

Rick

rajivrajan1 Mon, 09/08/2008 - 23:51

hi rick , thanx for the reply.

I'm using these access-list in my redistribution ( static to ospf).

most of my source addresses are /24

for example

cust A LAN ip 10.1.0.1

cust B LAN ip 10.0.2.0

CUST C LAN ip 10.0.0.1

in my PE router im matching this as

permit 10.1.0.0

permit 10.0.2.0

permit 10.0.0.0

will this match my traffic and redistribute in to OSPF ( it 's doing !!!).

So what else are allowed ? i'm really wondering if it's matching the class based networks.please clarify.

rsgamage1 Tue, 09/09/2008 - 01:40

Hi,

i'm really wondering if it's matching the class based networks.please clarify

You can try redistribution of classful network to see whether it actually is taking place.

redistribute static route-map

vs

redistribute static route-map subnets

According to my understanding these hits correspond to the classless (/24) networks those are redistributed into OSPF.

HTH

rsgamage1 Tue, 09/09/2008 - 07:00

You could emulate this scenario and do clear ospf process(or traffic) to see the hits on ACLs when those networks are redistributed.

For instance,

Standard IP access list 10

10 permit 10.0.0.0 log (1 match)

20 permit 10.1.0.0 log (1 match)

--

%SEC-6-IPACCESSLOGNP: list 10 permitted 0 10.0.0.0 -> 0.0.0.0, 1 packet

%SEC-6-IPACCESSLOGNP: list 10 permitted 0 10.1.0.0 -> 0.0.0.0, 1 packet

Actions

This Discussion