×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

access-list with first zeto octet. Is it correct?

Unanswered Question
Jun 20th, 2012
User Badges:

I have seen config like:

access-list 1 permit 0.21.0.0 255.0.255.255


Can you please let me know if such config is correct and if yes, explain more


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Peter Paluch Wed, 06/20/2012 - 03:24
User Badges:
  • Cisco Employee,

Hello,


This ACL is somewhat bizzare but it is not incorrect per se. It matches all packets whose source IP address has the form


x.21.x.x


where "x" is an arbitrary number (it is totally irrelevant what the value of "x" is).


I do not know what was the intention of the creator of this ACL. Therefore, it is difficult to answer the question if the ACL is correct. Syntactically - sure it is. Semantically - I do not know, that depends on what shall be accomplished with it.


Best regards,

Peter

handoko wiyanto Wed, 06/20/2012 - 04:16
User Badges:

hi webstd.design,


imho,

by reading the way it wrote wildcard mask (255.0.255.255)

that command is wrong.


if we referring to the standard access list for example this is a very old cisco IOS version, (http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/stdlog.html)


the part that we write wilcard mask is by putting 1 to the host bit portion

source-wildcard

(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.


regards,

webstd.design Wed, 06/20/2012 - 04:21
User Badges:

Looks like it's a question from BGP exam, so should be correct

handoko wiyanto Wed, 06/20/2012 - 04:56
User Badges:

interesting!


would you mind sharing the complete question with the config that you wrote before?


regards,

webstd.design Wed, 06/20/2012 - 05:40
User Badges:

Can you provide something like this as an example? It could be interesting questions for interview

Nandan Mathure Wed, 06/20/2012 - 05:53
User Badges:
  • Bronze, 100 points or more

Hi!


access-list 1 permit 0.21.0.0 255.0.255.255


such access lists are used for matching the networks. Here in the example any network with second octet of 21 will be matched.


More examles...


access-list 10 permit 192.168.0.1 0.0.0.0  [matches a host route of 192.168.0.1]

access-list 10 permit 0.16.16.0 255.0.0.255 [ matches any network which has 2nd and 3rd octet of 16]

access-list 10 permit 10.0.0.0 0.0.255.192 [ matched networks 10.0.0.0 to 10.0.255.192]


i would suggest convert wildcard to binary and match the corresponding bits with must match or match any. i.e 0 is must match and 1 is any (in case of wildcards)


let me know if this helps,

Nandan Mathure

Actions

This Discussion