11-04-2005 03:12 PM
I read an article and excerptted a section as follows:
"access-list 10 permit 192.168.3.0 0.0.0.255
This list allows traffic from all addresses in the range 192.168.3.0 to 192.168.3.255
You can see how the last entry looks similar to a subnet mask, but with Cisco ACLs they use inverse subnet masks. ..."
Is the above statement correct? If so, what does the subnet mask mean if I put it into:
access-list 10 permit 192.168.3.0 255.255.255.0?
Thanks to help.
Scott
Solved! Go to Solution.
11-06-2005 02:12 PM
192.168.1.0 and 192.168.2.0 always refer to the subnet itself, and it is not used by any host. further, 192.168.1.255 and 192.168.2.255 always refer to the broadcast for the subnet, and it not used by any host.
that's why i said .1 - .254 only. however, please don't be surprised to see .0 is being used in some network as it is possible, just not very common.
11-04-2005 08:37 PM
In an Access-list wild card mask is used, and 0 in Wild card mask is match and 1 is dont care. SO it will match only the first three octets and doesnt care abt the last octet if the wildcard mask is 0.0.0.255
This is a gud link which will help you on access-lists
Rgds
11-04-2005 09:32 PM
just a quick comment.
router mainly uses wildcard mask. e.g.
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
pix mainly uses subnet mask. e.g.
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
both acls above mean exactly the same thing. i.e. to permit traffic originated from 192.168.1.1 - 192.168.1.254 destined for 192.168.2.1 - 192.168.2.254.
11-06-2005 09:49 AM
Thanks for all response.
For access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
The response says:"both acls above mean exactly the same thing. i.e. to permit traffic originated from 192.168.1.1 - 192.168.1.254 destined for 192.168.2.1 - 192.168.2.254."
1)for 192.168.1.1 - 192.168.1.254 , why not count in the 192.168.1.0 and the 192.168.1.255?
2)for 192.168.2.1 - 192.168.2.254, why not count in the 192.168.2.0 and the 192.168.2.255?
Thanks to help.
Scott
11-06-2005 02:12 PM
192.168.1.0 and 192.168.2.0 always refer to the subnet itself, and it is not used by any host. further, 192.168.1.255 and 192.168.2.255 always refer to the broadcast for the subnet, and it not used by any host.
that's why i said .1 - .254 only. however, please don't be surprised to see .0 is being used in some network as it is possible, just not very common.
11-08-2005 06:06 AM
Hello,
An access-list (in a router!):
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
would produce this:
access-list 100 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
When you do a "show access-list". Since routers work with inverse mask this access-list would make no sence since it would not care for the 3 first octets and exactly match the last octet, which is zero. That is what would happen with your list.
Best regards
Robert Maras
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide