cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
890
Views
5
Helpful
3
Replies

Simple ACL but why I can't match 2 addresses in one ACL?

news2010a
Level 3
Level 3

Hi, I imagine I need to build one ACL to match the following addresses:

135.7.183.0

135.7.184.0

I wrote the third octets in binary:

10110111 = 183

10111000 = 184

Then I did AND operation between 183 and 184 in binary:

10110000 = 176

and XOR operation as well to find mask:

10110111 = 183

10111000 = 184

Doing XOR is:

00001111 = 15

So in my calculation (I already used other methods), the access-list would be

access-list 1 permit 135.7.176.0 0.0.15.0

The problem is that this does not seem to match 183 and 184. What am I  missing here please? It seems so simple but I do not know why this is  failing...

1 Accepted Solution

Accepted Solutions

Nikita Singh
Cisco Employee
Cisco Employee

Not sure what you are trying to do,

Are you trying to match this-

135.7.183.0/24

135.7.184.0/24

FYI- in 135.7.183.0/24 > 135.7.183.1- 135.7.183.254 is the host range, 135.7.183.0 is subnet id and 135.7.183.255 is the broadcast address.

The easiest way to do the above would be

access-list 1 permit 135.7.183.0 0.0.0.255

access-lsit 1 permit 135.7.184.0 0.0.0.255

Use the foll for better understanding:

http://www.subnet-calculator.com/subnet.php?net_class=B

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#standacl

Please rate the post if it helps.

View solution in original post

3 Replies 3

Nikita Singh
Cisco Employee
Cisco Employee

Not sure what you are trying to do,

Are you trying to match this-

135.7.183.0/24

135.7.184.0/24

FYI- in 135.7.183.0/24 > 135.7.183.1- 135.7.183.254 is the host range, 135.7.183.0 is subnet id and 135.7.183.255 is the broadcast address.

The easiest way to do the above would be

access-list 1 permit 135.7.183.0 0.0.0.255

access-lsit 1 permit 135.7.184.0 0.0.0.255

Use the foll for better understanding:

http://www.subnet-calculator.com/subnet.php?net_class=B

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#standacl

Please rate the post if it helps.

In this case mask was not given. It is stricly match the 138.7.183.0 and 138.7.184.0 addresses (not network).


So OK I just wanted to confirm I was not getting crazy. In this case it is not possible to aggregate this into one entry. Thanks.

sujinair
Level 1
Level 1

Hi

The logic that you used is correct, the only reason that this is not matching the traffic is because you have left the last octect as 0 in the mask. To match all the traffic the in both the subnets you need to have .255 in the mask in the last octet as shown below:

access-list 1 permit 135.7.176.0 0.0.15.255

else it would try to match only the network addresses 135.7.183.0 and 135.7.184.0 and will deny rest of the subnet IPs.

Regards,

Sujit

Review Cisco Networking for a $25 gift card