Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
831
Views
3
Helpful
3
Replies

ACL subnet mask

otnj2ee
Level 1
Level 1

‎11-04-2005 03:11 PM - edited ‎02-20-2020 09:28 PM

I read an article and excerptted a section as follows:

"access-list 10 permit 192.168.3.0 0.0.0.255

This list allows traffic from all addresses in the range 192.168.3.0 to 192.168.3.255

You can see how the last entry looks similar to a subnet mask, but with Cisco ACLs they use inverse subnet masks. ..."

Is the above statement correct? If so, what does the subnet mask mean if I put it into:

access-list 10 permit 192.168.3.0 255.255.255.0?

Thanks to help.

Scott

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎11-05-2005 10:55 AM

Scott

Subnet masks and access list masks are similar in that they both are defining which bits in an address are significant (they must match) and which bits are not. But the two types of masks achieve it in almost opposite ways. In a subnet mask the binary 1 indicates a must match bit and a binary 0 indicates a do not care bit. In access list masks the binary 1 is do not care bit and binary 0 is must match bit.

Also note that a 255 is all binary 1s and a 0 is all binary 0s.

So consider the expression 192.168.3.0 255.255.255.0. If we consider this as a subnet mask (ip address 192.168.3.0 255.255.255.0) then we are saying that the first octet must be 192 (255 mask is all 1s and is must match), the second octet must be 168, the third octet must be 3, and the fourth octet can be anything (0 mask is all 0s is do not care). If we consider the same expression in an access list (permit 192.168.3.0 255.255.255.0 then we are saying that anything can be in the first octet (255 mask is all 1s is do not care), anything can be in the second octet, anything can be in the third octet, and the fourth octet must be 0 (0 mask is all 0s is must match).

Subnet masking and access list masking can be a bit difficult but they are fundamentally important topics. Best luck in continuing to try to understand them.

HTH

Rick

HTH

Rick
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to sagdas

‎11-07-2005 08:24 AM

Sagar

I believed from the context of the original post that he was asking about the router style syntax of access lists which use inverse masks for access lists. You have posted a good link which assumes that the question was about PIX access lists which use normal subnet masking in access lists. Perhaps we should ask the original poster to clarify which context and which type of access list he was asking about.

HTH

Rick

HTH

Rick
Customers Also Viewed These Support Documents