Solved: Access-List

ney25 · ‎08-10-2006

Dear Netpro.

does anyone can explain how come the access-list can be using in such a way ?

question 1:

access-list 10 permit 192.168.207.0 0.0.4.0

question 2:

access-list 10 permit 192.168.207.0 0.0.4.255

your reply will be highly appreciated.

Rgards,

Jack

vijayasankar · ‎08-10-2006

Hi

Such kind Wildcard masks are always very tricky to handle.

The basic thumb rule for wildcard mask as you may know is as follows.

A Binary "0" in wildcard mask represent care Bit for the corresponding position in the ip address field

A binary "1" in wildcard mask represent dont care bit for the corresponding position in the ip address field.

For the first question.

question 1:

access-list 10 permit 192.168.207.0 0.0.4.0

the wildcard mask 0.0.4.0 means the first, second and fourth octet in the ip address cannot be changed at all.

Now take the third octet in the wildcard mask "4". Convery it to binary.

It is 00000100.

Convert the third octet of the ip address, which is 207 => 11001111.

207 => 11001111

4 => 00000100

Here all the corresponding binary position ip the address, which is 0 in wildcard mask cannot be changed.

So only the 3'rd bit in the IpAddress octet is represented by dont care bit "1" in the wildcard mask. This means all other bits in the ip address cannot be changed, only the 3 bit is dont care bit=> It can be either 1 or 0.

It means both "11001111" and "11001011" match again the wild card mask "00000100"

When you translate this in decimal octet,

11001111 => 207

11001011 => 203

So access-list 10 permit 192.168.207.0 0.0.4.0 means it will match both 192.168.207.0 and 192.168.203.0

question 2:

access-list 10 permit 192.168.207.0 0.0.4.255

Appying the same logic in this example, the only difference is as represented the last octet in the wildcard mask,

it translates as follows.

the first octet and the second octet in the ip address cannot be changed.( i.e care bit)

The third bit in the third octet of ip address is can be changed ( dont care bit).

The last octet in the ip address can be anything ( dont care bit in all 8 binary position 11111111 => wild card mask 255 )

When you apply the same logic the "access-list 10 permit 192.168.207.0 0.0.4.255" matches the following,

192.168.207.0 to 192.168.207.255

and

192.168.203.0 to 192.168.203.255

Hope this clarifies.

-VJ

View solution in original post

vijayasankar · ‎08-10-2006

Hi

Such kind Wildcard masks are always very tricky to handle.

The basic thumb rule for wildcard mask as you may know is as follows.

A Binary "0" in wildcard mask represent care Bit for the corresponding position in the ip address field

A binary "1" in wildcard mask represent dont care bit for the corresponding position in the ip address field.

For the first question.

question 1:

access-list 10 permit 192.168.207.0 0.0.4.0

the wildcard mask 0.0.4.0 means the first, second and fourth octet in the ip address cannot be changed at all.

Now take the third octet in the wildcard mask "4". Convery it to binary.

It is 00000100.

Convert the third octet of the ip address, which is 207 => 11001111.

207 => 11001111

4 => 00000100

Here all the corresponding binary position ip the address, which is 0 in wildcard mask cannot be changed.

So only the 3'rd bit in the IpAddress octet is represented by dont care bit "1" in the wildcard mask. This means all other bits in the ip address cannot be changed, only the 3 bit is dont care bit=> It can be either 1 or 0.

It means both "11001111" and "11001011" match again the wild card mask "00000100"

When you translate this in decimal octet,

11001111 => 207

11001011 => 203

So access-list 10 permit 192.168.207.0 0.0.4.0 means it will match both 192.168.207.0 and 192.168.203.0

question 2:

access-list 10 permit 192.168.207.0 0.0.4.255

Appying the same logic in this example, the only difference is as represented the last octet in the wildcard mask,

it translates as follows.

the first octet and the second octet in the ip address cannot be changed.( i.e care bit)

The third bit in the third octet of ip address is can be changed ( dont care bit).

The last octet in the ip address can be anything ( dont care bit in all 8 binary position 11111111 => wild card mask 255 )

When you apply the same logic the "access-list 10 permit 192.168.207.0 0.0.4.255" matches the following,

192.168.207.0 to 192.168.207.255

and

192.168.203.0 to 192.168.203.255

Hope this clarifies.

-VJ

ney25 · ‎08-10-2006

Thanks VJ.

Regards,

Jack