Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL with wildcard mask

                   Hi Everyone,

Router has below ACL  configured

access-list 106 permit 0.0.0.0.27 255.255.255.224 host 200.x.x.x.x

Need to know which IP address will this ACL allow?

Regards

Mahesh

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACL with wildcard mask

Hi Mahesh,

It seems to me the wildcard mask in this ACL has not been converted from subnet notation to the wildcard notation, and as a result, the ACL matches a very peculiar and unintended set of sources. The 255 octets of the wildcard mask signify that corresponding octets of an IP address may be arbitrary. Regarding the last octet of the wildcard mask, the situation in binary is as follows:

27  in binary is 00011011

224 in binary is 11100000

The matching is then as follows:

00011011

iiimmmmm

where i means ignore and m means match

Notice that in this octet, the wildcard mask requires that the IP address matches on the rightmost 5 bits carrying the total value of 27, and the leftmost 3 bits (carrying values of 32, 64 and 128) will not be matched, meaning they can be arbitrary. By enumerating all their combinations of set/not-set and evaluating the resulting octet value, you get 8 values:

27+0=27

27+32=59

27+64=91

27+96=123

27+128=155

27+160=187

27+192=219

27+224=251

So the set of sources this ACL would match has the following symbolic format:

...

Best regards,

Peter

2 REPLIES
Cisco Employee

Re: ACL with wildcard mask

Hi Mahesh,

It seems to me the wildcard mask in this ACL has not been converted from subnet notation to the wildcard notation, and as a result, the ACL matches a very peculiar and unintended set of sources. The 255 octets of the wildcard mask signify that corresponding octets of an IP address may be arbitrary. Regarding the last octet of the wildcard mask, the situation in binary is as follows:

27  in binary is 00011011

224 in binary is 11100000

The matching is then as follows:

00011011

iiimmmmm

where i means ignore and m means match

Notice that in this octet, the wildcard mask requires that the IP address matches on the rightmost 5 bits carrying the total value of 27, and the leftmost 3 bits (carrying values of 32, 64 and 128) will not be matched, meaning they can be arbitrary. By enumerating all their combinations of set/not-set and evaluating the resulting octet value, you get 8 values:

27+0=27

27+32=59

27+64=91

27+96=123

27+128=155

27+160=187

27+192=219

27+224=251

So the set of sources this ACL would match has the following symbolic format:

...

Best regards,

Peter

New Member

ACL with wildcard mask

Hi Peter,

Thanks for explaining it in so detail.

Seems it was little  tricky to know allowed hosts in less time as yesterday i need to config ACL on the router in quick time.

I

Only you can do this.

Best Regards

Mahesh

141
Views
0
Helpful
2
Replies