Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

access-list

we have extended access-list to meet the

following requirement

Allow IP packets sourced from a host with address 172.16.10.1 destined for subnet 170.170.10.0 255.255.255.0.

Deny any other IP packets that are destined for the same destination subnet of 170.170.10.0.

Permit all other IP packets.

One access list that meets these requirements follows:

access-list 101 permit ip 172.16.10.1 0.0.0.0 170.170.10.0 0.0.0.255

access-list 101 deny ip 0.0.0.0 255.255.255.255 170.170.10.0 0.0.0.255

access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

can someone explain we why on access-list

2 we have 0.0.0.0 for source IP and

255.255.255.255 for wildcard mask

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: access-list

Mahesh

With an inverse mask used in IOS access-list 255 means "don't care" or to put it another way 255 can match anything.

0.0.0.0 as an IP address means it can match any address.

So your second and third lines in your acl could be written

access-list 101 deny ip any 170.170.10.0 0.0.0.255

access-list 101 permit ip any any

which is a lot more straightforward IMHO.

Jon

4 REPLIES
Hall of Fame Super Blue

Re: access-list

Mahesh

With an inverse mask used in IOS access-list 255 means "don't care" or to put it another way 255 can match anything.

0.0.0.0 as an IP address means it can match any address.

So your second and third lines in your acl could be written

access-list 101 deny ip any 170.170.10.0 0.0.0.255

access-list 101 permit ip any any

which is a lot more straightforward IMHO.

Jon

Community Member

Re: access-list

Hi jon

thanks once again

Mahesh

Community Member

Re: access-list

The wildcard masks are shown in longhand. a 1 bit is "don't care" and a 0 bit is "must match". So the first line match of 0.0.0.0 means every bit must match host 172.16.10.1 and the 255.255.255.255 mask on the second and third lines meand that all of the bits are "don't care" so anything will be matched.

An easier way to write this would be:

access-list 101 permit ip host 172.16.10.1 170.170.10.0 0.0.0.255

access-list 101 deny ip any 170.170.10.0 0.0.0.255

access-list 101 permit ip any any

Community Member

Re: access-list

Hi Hennigan

thanks for your Reply

Mahesh

273
Views
0
Helpful
4
Replies
CreatePlease to create content