Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10521
Views
9
Helpful
5
Replies

ACL subnet mask

Go to solution
otnj2ee
Level 1
Level 1

‎11-04-2005 03:12 PM

I read an article and excerptted a section as follows:

"access-list 10 permit 192.168.3.0 0.0.0.255

This list allows traffic from all addresses in the range 192.168.3.0 to 192.168.3.255

You can see how the last entry looks similar to a subnet mask, but with Cisco ACLs they use inverse subnet masks. ..."

Is the above statement correct? If so, what does the subnet mask mean if I put it into:

access-list 10 permit 192.168.3.0 255.255.255.0?

Thanks to help.

Scott

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jackko
Level 7
Level 7
In response to otnj2ee

‎11-06-2005 02:12 PM

192.168.1.0 and 192.168.2.0 always refer to the subnet itself, and it is not used by any host. further, 192.168.1.255 and 192.168.2.255 always refer to the broadcast for the subnet, and it not used by any host.

that's why i said .1 - .254 only. however, please don't be surprised to see .0 is being used in some network as it is possible, just not very common.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
attrgautam
Level 5
Level 5

‎11-04-2005 08:37 PM

In an Access-list wild card mask is used, and 0 in Wild card mask is match and 1 is dont care. SO it will match only the first three octets and doesnt care abt the last octet if the wildcard mask is 0.0.0.255

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html#1036824

This is a gud link which will help you on access-lists

Rgds

0 Helpful

Go to solution
jackko
Level 7
Level 7

‎11-04-2005 09:32 PM

just a quick comment.

router mainly uses wildcard mask. e.g.

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

pix mainly uses subnet mask. e.g.

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

both acls above mean exactly the same thing. i.e. to permit traffic originated from 192.168.1.1 - 192.168.1.254 destined for 192.168.2.1 - 192.168.2.254.

Go to solution
otnj2ee
Level 1
Level 1
In response to jackko

‎11-06-2005 09:49 AM

Thanks for all response.

For access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

The response says:"both acls above mean exactly the same thing. i.e. to permit traffic originated from 192.168.1.1 - 192.168.1.254 destined for 192.168.2.1 - 192.168.2.254."

1)for 192.168.1.1 - 192.168.1.254 , why not count in the 192.168.1.0 and the 192.168.1.255?

2)for 192.168.2.1 - 192.168.2.254, why not count in the 192.168.2.0 and the 192.168.2.255?

Thanks to help.

Scott

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to otnj2ee

‎11-06-2005 02:12 PM

192.168.1.0 and 192.168.2.0 always refer to the subnet itself, and it is not used by any host. further, 192.168.1.255 and 192.168.2.255 always refer to the broadcast for the subnet, and it not used by any host.

that's why i said .1 - .254 only. however, please don't be surprised to see .0 is being used in some network as it is possible, just not very common.

0 Helpful

Go to solution
maraz
Level 1
Level 1

‎11-08-2005 06:06 AM

Hello,

An access-list (in a router!):

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

would produce this:

access-list 100 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0

When you do a "show access-list". Since routers work with inverse mask this access-list would make no sence since it would not care for the 3 first octets and exactly match the last octet, which is zero. That is what would happen with your list.

Best regards

Robert Maras

Customers Also Viewed These Support Documents