Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1192
Views
0
Helpful
8
Replies

Capture filter in ACE

hdommath
Level 1
Level 1

‎07-26-2013 08:22 PM

Can someone clarify how the ACL wildcard mask works in the ACE30?. Ideally, wildcard mask of 0.0.0.0 should match all but what I am seeing is, it is treating is as match any.

Here is the scenario: I would like to capture all traffic between 1.1.1.1 and 2.2.2.2 and my ACL for the capture filer is

access-list capture line 8 extended permit ip 1.1.1.1 0.0.0.0 2.2.2.2 0.0.0.0

access-list capture line 16 extended permit ip 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0

However, the capture file shows flows from the whole subnet. Why is that?

thanks

-Harish

Labels:
0 Helpful
8 Replies 8

Cesar Roque
Level 4
Level 4

‎08-02-2013 12:47 PM

Hi,

Try with an ACL like this:

access-list cap line 8 extended permit ip host 1.1.1.1 host 2.2.2.2

access-list cap line 8 extended permit ip host 2.2.2.2 host 1.1.1.1

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
0 Helpful

hdommath
Level 1
Level 1
In response to Cesar Roque

‎08-02-2013 12:49 PM

Ofcourse, that would work. I would like to know why the other syntax is not working. Functionally, it is same.

thanks

-Harish

0 Helpful

Cesar Roque
Level 4
Level 4
In response to hdommath

‎08-02-2013 12:56 PM

Hi Harish,

From the documentation:

"For the source IP address netmask, the ACE  supports only standard subnet mask entries in an ACL. Wildcard entries  (for example, 0.0.0.15) and non-standard subnet masks are not supported."

"For the destination IP address netmask, the ACE  supports only standard subnet mask entries in an ACL. Wildcard entries  (for example, 0.0.0.15) and non-standard subnet masks are not supported. "

http://www.cisco.com/en/US/customer/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/security/guide/acl.html#wp1005647

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
0 Helpful

hdommath
Level 1
Level 1
In response to Cesar Roque

‎08-02-2013 01:00 PM

Aha!. That helps. Not sure why it is not implemented that way though (as in normal IOS).

-Harish

0 Helpful

Cesar Roque
Level 4
Level 4
In response to hdommath

‎08-02-2013 01:07 PM

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
0 Helpful

hdommath
Level 1
Level 1
In response to Cesar Roque

‎08-05-2013 08:41 AM

I also noticed that ACE converts the mask of 255.255.255.255 as "host". I would think it is treating it reverse but it is confusing.

Ex:

access-list TEST extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255

is converted to this (in the running config).

access-list TEST line 8 extended permit ip host 1.1.1.1 host 2.2.2.2

0 Helpful

hdommath
Level 1
Level 1
In response to hdommath

‎08-05-2013 10:32 AM

I think I can see what the issue is. In ACE it is not the wildcard mask, but the subnet mask. So 255.255.255.255 is match all and 0.0.0.0 is match any.

0 Helpful

Cesar Roque
Level 4
Level 4
In response to hdommath

‎08-09-2013 03:39 PM

Hi,

Yes, correct.

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
0 Helpful
Customers Also Viewed These Support Documents