Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL and subnet mask

Hello,

Do you know why Cisco keeps invert subnet masks (example: 10.0.0.0 0.0.0.255).

It would simpler and safer to use a number to define a mask (example: 255.0.0.0 - normal or 0.0.0.255 -invert => 8), no?

REgards

Pet

****************

http://www.openmaniak.com

  • WAN Routing and Switching
3 REPLIES

Re: ACL and subnet mask

Because it is a wildcard, not a mask.

a mask must be contiguous, a wild card need not be. Using them opposite makes that a little less confusing.

I also suspect that when initially coding, it may have been more efficient somehow to use them this way round.

Paul.

New Member

Re: ACL and subnet mask

Thanks for your answer, i think it is more for a backward compatibily, to keep the same syntax on

all the IOSs.

For example, The Juniper and the vyatta routers use only a number for the mask (or the invert mask which only exist on Cisco)

Regards

Pet.

*********

http://openmaniak.com

Re: ACL and subnet mask

Using a number for the wildcard on an ACL would either make it more difficult or very awkward to some creative stuff with ACLs.

Take a position where you have a VERY structured IP addressing scheme based on 10.0.0.0, and you use the middle two octets to signify where the network is, and what type of network.

Using the high half of the second octet is noth. low half south, and use use even numbers for private networks, and odd for public. The third octed being odd means it is a wireless network.

You want to permit private wireless in the south.

Thats 10.0xxxxxx0.xxxxxxx1.don't care

or acce 10 pe ip 10.0.1.0 0.129.1.255 simple all those condidtions in one line of an access list.

TBH I quite like it as it is, but I have been working with it for a number of years so am familiar. What this all means is that I can see that it is a mask, and that it is legit (mask must be contiguous so allowed values are 128 192 224 240 248 252 254 and 255) or that is is a wild card. The way it gets presented makes it obvious as well.

10.23.0.0 255.255.0.0 is *clearly* a mask.

0.0.23.46 255.255.0.0 is clearly a wild card, as the bits that are a 1 in the wild card are zero in the "address".

t may look confusing, but once you get the hang, it makes sense,

Paul.

310
Views
0
Helpful
3
Replies
This widget could not be displayed.