Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL subnet mask

I read an article and excerptted a section as follows:

"access-list 10 permit 192.168.3.0 0.0.0.255

This list allows traffic from all addresses in the range 192.168.3.0 to 192.168.3.255

You can see how the last entry looks similar to a subnet mask, but with Cisco ACLs they use inverse subnet masks. ..."

Is the above statement correct? If so, what does the subnet mask mean if I put it into:

access-list 10 permit 192.168.3.0 255.255.255.0?

Thanks to help.

Scott

3 REPLIES
Hall of Fame Super Silver

Re: ACL subnet mask

Scott

Subnet masks and access list masks are similar in that they both are defining which bits in an address are significant (they must match) and which bits are not. But the two types of masks achieve it in almost opposite ways. In a subnet mask the binary 1 indicates a must match bit and a binary 0 indicates a do not care bit. In access list masks the binary 1 is do not care bit and binary 0 is must match bit.

Also note that a 255 is all binary 1s and a 0 is all binary 0s.

So consider the expression 192.168.3.0 255.255.255.0. If we consider this as a subnet mask (ip address 192.168.3.0 255.255.255.0) then we are saying that the first octet must be 192 (255 mask is all 1s and is must match), the second octet must be 168, the third octet must be 3, and the fourth octet can be anything (0 mask is all 0s is do not care). If we consider the same expression in an access list (permit 192.168.3.0 255.255.255.0 then we are saying that anything can be in the first octet (255 mask is all 1s is do not care), anything can be in the second octet, anything can be in the third octet, and the fourth octet must be 0 (0 mask is all 0s is must match).

Subnet masking and access list masking can be a bit difficult but they are fundamentally important topics. Best luck in continuing to try to understand them.

HTH

Rick

New Member
Hall of Fame Super Silver

Re: ACL subnet mask

Sagar

I believed from the context of the original post that he was asking about the router style syntax of access lists which use inverse masks for access lists. You have posted a good link which assumes that the question was about PIX access lists which use normal subnet masking in access lists. Perhaps we should ask the original poster to clarify which context and which type of access list he was asking about.

HTH

Rick

439
Views
3
Helpful
3
Replies