Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

access-list

hi friends,

Need a clarification.If an access-list has been created with out any wild card mask , the mask defaults to 0.0.0.0

so what will happen to the below access-lists.

permit ip 10.1.0.0

permit ip 10.0.1.0

permit ip 192.168.0.0

permit ip 172.16.0.0

im seeing some matches on these access-lists ,how can these lists can be matched when there is no specific?

5 REPLIES
Silver

Re: access-list

Hello,

It may be matching the route entries in the routing table.

How and where are using this access-list?

Hall of Fame Super Silver

Re: access-list

Rajeev

You start with a very valid observation that the default mask is 0.0.0.0, which indicates an exact match. So your access list is equivalent to:

permit ip 10.1.0.0 0.0.0.0

permit ip 10.0.1.0 0.0.0.0

permit ip 192.168.0.0 0.0.0.0

permit ip 172.16.0.0 0.0.0.0

So the first 2 lines could legitimately be host addresses and the last 2 lines would be network addresses. You have not told us how the access list is used, so we do not know yet whether host matches are legitimate (access list applied with access-group to filter packets on an interface) or whether network matches are legitimate (access list applied in a distribute list to control routing updates). But either pair of lines could legitimately match against some things.

HTH

Rick

New Member

Re: access-list

hi rick , thanx for the reply.

I'm using these access-list in my redistribution ( static to ospf).

most of my source addresses are /24

for example

cust A LAN ip 10.1.0.1

cust B LAN ip 10.0.2.0

CUST C LAN ip 10.0.0.1

in my PE router im matching this as

permit 10.1.0.0

permit 10.0.2.0

permit 10.0.0.0

will this match my traffic and redistribute in to OSPF ( it 's doing !!!).

So what else are allowed ? i'm really wondering if it's matching the class based networks.please clarify.

New Member

Re: access-list

Hi,

i'm really wondering if it's matching the class based networks.please clarify

You can try redistribution of classful network to see whether it actually is taking place.

redistribute static route-map

vs

redistribute static route-map subnets

According to my understanding these hits correspond to the classless (/24) networks those are redistributed into OSPF.

HTH

New Member

Re: access-list

You could emulate this scenario and do clear ospf process(or traffic) to see the hits on ACLs when those networks are redistributed.

For instance,

Standard IP access list 10

10 permit 10.0.0.0 log (1 match)

20 permit 10.1.0.0 log (1 match)

--

%SEC-6-IPACCESSLOGNP: list 10 permitted 0 10.0.0.0 -> 0.0.0.0, 1 packet

%SEC-6-IPACCESSLOGNP: list 10 permitted 0 10.1.0.0 -> 0.0.0.0, 1 packet

144
Views
5
Helpful
5
Replies