Unanswered Question
Sep 5th, 2008

hi friends,

Need a clarification.If an access-list has been created with out any wild card mask , the mask defaults to

so what will happen to the below access-lists.

permit ip

permit ip

permit ip

permit ip

im seeing some matches on these access-lists ,how can these lists can be matched when there is no specific?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
singhsaju Fri, 09/05/2008 - 06:42


It may be matching the route entries in the routing table.

How and where are using this access-list?

Richard Burts Fri, 09/05/2008 - 06:46


You start with a very valid observation that the default mask is, which indicates an exact match. So your access list is equivalent to:

permit ip

permit ip

permit ip

permit ip

So the first 2 lines could legitimately be host addresses and the last 2 lines would be network addresses. You have not told us how the access list is used, so we do not know yet whether host matches are legitimate (access list applied with access-group to filter packets on an interface) or whether network matches are legitimate (access list applied in a distribute list to control routing updates). But either pair of lines could legitimately match against some things.



rajivrajan1 Mon, 09/08/2008 - 23:51

hi rick , thanx for the reply.

I'm using these access-list in my redistribution ( static to ospf).

most of my source addresses are /24

for example

cust A LAN ip

cust B LAN ip


in my PE router im matching this as




will this match my traffic and redistribute in to OSPF ( it 's doing !!!).

So what else are allowed ? i'm really wondering if it's matching the class based networks.please clarify.

rsgamage1 Tue, 09/09/2008 - 01:40


i'm really wondering if it's matching the class based networks.please clarify

You can try redistribution of classful network to see whether it actually is taking place.

redistribute static route-map


redistribute static route-map subnets

According to my understanding these hits correspond to the classless (/24) networks those are redistributed into OSPF.


rsgamage1 Tue, 09/09/2008 - 07:00

You could emulate this scenario and do clear ospf process(or traffic) to see the hits on ACLs when those networks are redistributed.

For instance,

Standard IP access list 10

10 permit log (1 match)

20 permit log (1 match)


%SEC-6-IPACCESSLOGNP: list 10 permitted 0 ->, 1 packet

%SEC-6-IPACCESSLOGNP: list 10 permitted 0 ->, 1 packet


This Discussion