07-26-2013 08:22 PM
Can someone clarify how the ACL wildcard mask works in the ACE30?. Ideally, wildcard mask of 0.0.0.0 should match all but what I am seeing is, it is treating is as match any.
Here is the scenario: I would like to capture all traffic between 1.1.1.1 and 2.2.2.2 and my ACL for the capture filer is
access-list capture line 8 extended permit ip 1.1.1.1 0.0.0.0 2.2.2.2 0.0.0.0
access-list capture line 16 extended permit ip 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0
However, the capture file shows flows from the whole subnet. Why is that?
thanks
-Harish
08-02-2013 12:47 PM
Hi,
Try with an ACL like this:
access-list cap line 8 extended permit ip host 1.1.1.1 host 2.2.2.2
access-list cap line 8 extended permit ip host 2.2.2.2 host 1.1.1.1
---------------------
Cesar R
ANS Team
08-02-2013 12:49 PM
Ofcourse, that would work. I would like to know why the other syntax is not working. Functionally, it is same.
thanks
-Harish
08-02-2013 12:56 PM
Hi Harish,
From the documentation:
"For the source IP address netmask, the ACE supports only standard subnet mask entries in an ACL. Wildcard entries (for example, 0.0.0.15) and non-standard subnet masks are not supported."
"For the destination IP address netmask, the ACE supports only standard subnet mask entries in an ACL. Wildcard entries (for example, 0.0.0.15) and non-standard subnet masks are not supported. "
---------------------
Cesar R
ANS Team
08-02-2013 01:00 PM
Aha!. That helps. Not sure why it is not implemented that way though (as in normal IOS).
-Harish
08-02-2013 01:07 PM
---------------------
Cesar R
ANS Team
08-05-2013 08:41 AM
I also noticed that ACE converts the mask of 255.255.255.255 as "host". I would think it is treating it reverse but it is confusing.
Ex:
access-list TEST extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255
is converted to this (in the running config).
access-list TEST line 8 extended permit ip host 1.1.1.1 host 2.2.2.2
08-05-2013 10:32 AM
I think I can see what the issue is. In ACE it is not the wildcard mask, but the subnet mask. So 255.255.255.255 is match all and 0.0.0.0 is match any.
08-09-2013 03:39 PM
Hi,
Yes, correct.
---------------------
Cesar R
ANS Team
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide