Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

issue with ACL configuration

Hi!!

Although it could be a basic cuestion regarding to the ACLs configuration, we have and issue when made this:

access-list X permit 195.104.26.0 255.255.255.0

By error we put into the command line the normal or natural network mask (not the wildcard "inverse" mask).

The result on router is as follows:

access-list X permit 0.0.0.0 255.255.255.0

It is normal?

The intention here was permit the network 195.104.26.0 not "any" (first 3 octets).

Any idea??

Thanks in advance

7 REPLIES
Hall of Fame Super Gold

Re: issue with ACL configuration

Pedro

You made a misconfiguration and the router did "exactly" what you told it to do. When you put the mask as 255.255.255.0 then the ACL determined that nothing in the first 3 octets must match. So even though you input the ACL with numbers in the first 3 octets the IOS determined that the appropriate value in the first 3 octets was 0, since the mask says that they do not matter. Then the 4th octet where your mask says that it does matter, you input with 0 in the 4th octet.

So I would say that yes it is "normal" the IOS followed its normal logic of how to interpret the mask of ACL and did exactly what you told it to do. Except that is not what you WANTED it to do. But it is what you told it to do.

HTH

Rick

Community Member

Re: issue with ACL configuration

Hello Rick

I agree with you, because this is what the Cisco theory says.

But I think that the IOS should send an "inconsistence message", because in reality is not correct this type of inverse mask (except the masks 255.255.255.255 [any] and 0.0.0.0 [host]).

No network have a subnetmask 0.0.0.255. According to the theory (again), the inverse mask comes from substraction of 255.255.255.255 minus the real mask.

Is for this last, I think the IOS

don?t should "decide" what to do.

This errors on mask and inverse masks could happend in operative areas when ACLs and static routes are requiered, and can impact seriously the network if we have "deny" ACLs, for example.

What do you think?

Thanks in advance

Pedro.

Re: issue with ACL configuration

Hi,

I actually disagree with you, as with ACL any possible wildcard is meaningful, i'll give you an example:

To match these networks in one ACL statement:

10.0.0.0/16

10.4.0.0/16

10.32.0.0/16

10.36.0.0/16

access-list 1 permit 10.0.0.0 0.36.0.0

Another example would be, to match all the odd IPs in this subnet "10.0.0.0/24":

access-list 1 permit 10.0.0.1 0.0.0.254 (last bit is always 1, thus the address is always odd)

So as you can see, there is nothing called inconsistent wildcard mask.

I hope that i've been informative.

HTH,

Mohammed Mahmoud.

Re: issue with ACL configuration

In addition to Ricks comments refer to this link.

http://www.mdh.se/netcenter/ct3790/ct3790_HT2005_p2/ACLs.pdf

the match, not match, match ranges in acls it could sometime be trikie.. every now and then is good to have a reference handy.

HTH

Jorge

Community Member

Re: issue with ACL configuration

Hi Jorge

Thanks for the reference

Hall of Fame Super Gold

Re: issue with ACL configuration

Pedro

There is a difficult decision to determine whether the command line command that was input was a conceptual mistake or whether the person was attempting to accomplish some subtle distinction. Most of the time the IOS just accepts the configuration statement and that is what happened in your situation.

Every time that I am running Windows software and attempt to do something and Windows changes it (because it thinks that it knows better what is logical) I am reminded of the dangers of overriding the user input.

HTH

Rick

Community Member

Re: issue with ACL configuration

Hi Rick

Thanks for your time.

I only ask for any IOS "warning message", because I know the way to put a "dont care" bit on the network address, and believe me, in this case I didnt want that result. It was only a simple sintaxis error, but I never thought that IOS could change the three first octets!!.

In this particular case I wished IOS send me a "warning message" (like IOS do with a duplicated IP address on interface configuration).

What is the logical intention to put any number greater than zero on any address octet if on the wildcard mask octet by octet I put 255??

If as you says "most of the time the IOS accepts the configuration" , Its all right, but as I typed it or simply do not accept the command line.

What you think?

Do you think it could be a way to improve and to ensure the ACLs use?

There are some dangers on normal ACLs use and application, this "warning message" could be more safe the ACLs, beginning with a sintaxis validation.

Regards...

154
Views
0
Helpful
7
Replies
CreatePlease to create content