Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Capture filter in ACE

Can someone clarify how the ACL wildcard mask works in the ACE30?. Ideally, wildcard mask of 0.0.0.0 should match all but what I am seeing is, it is treating is as match any.

Here is the scenario: I would like to capture all traffic between 1.1.1.1 and 2.2.2.2 and my ACL for the capture filer is

access-list capture line 8 extended permit ip 1.1.1.1 0.0.0.0 2.2.2.2 0.0.0.0

access-list capture line 16 extended permit ip 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0

However, the capture file shows flows from the whole subnet. Why is that?

thanks

-Harish

8 REPLIES
Bronze

Capture filter in ACE

Hi,

Try with an ACL like this:

access-list cap line 8 extended permit ip host 1.1.1.1 host 2.2.2.2

access-list cap line 8 extended permit ip host 2.2.2.2 host 1.1.1.1

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
New Member

Capture filter in ACE

Ofcourse, that would work. I would like to know why the other syntax is not working. Functionally, it is same.

thanks

-Harish

Bronze

Capture filter in ACE

Hi Harish,

From the documentation:

"For the source IP address netmask, the ACE  supports only standard subnet mask entries in an ACL. Wildcard entries  (for example, 0.0.0.15) and non-standard subnet masks are not supported."

"For the destination IP address netmask, the ACE  supports only standard subnet mask entries in an ACL. Wildcard entries  (for example, 0.0.0.15) and non-standard subnet masks are not supported. "

http://www.cisco.com/en/US/customer/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/security/guide/acl.html#wp1005647

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
New Member

Capture filter in ACE

Aha!. That helps. Not sure why it is not implemented that way though (as in normal IOS).

-Harish

Bronze

Capture filter in ACE

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
New Member

Capture filter in ACE

I also noticed that ACE converts the mask of 255.255.255.255 as "host". I would think it is treating it reverse but it is confusing.

Ex:

access-list TEST extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255

is converted to this (in the running config).

access-list TEST line 8 extended permit ip host 1.1.1.1 host 2.2.2.2

New Member

Capture filter in ACE

I think I can see what the issue is. In ACE it is not the wildcard mask, but the subnet mask. So 255.255.255.255 is match all and 0.0.0.0 is match any.

Bronze

Capture filter in ACE

Hi,

Yes, correct.

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
580
Views
0
Helpful
8
Replies