Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
978
Views
5
Helpful
3
Replies

Simple ACL but why I can't match 2 addresses in one ACL?

Go to solution
news2010a
Level 3
Level 3

‎03-12-2011 06:14 PM - edited ‎03-04-2019 11:43 AM

Hi, I imagine I need to build one ACL to match the following addresses:

135.7.183.0

135.7.184.0

I wrote the third octets in binary:

10110111 = 183

10111000 = 184

Then I did AND operation between 183 and 184 in binary:

10110000 = 176

and XOR operation as well to find mask:

10110111 = 183

10111000 = 184

Doing XOR is:

00001111 = 15

So in my calculation (I already used other methods), the access-list would be

access-list 1 permit 135.7.176.0 0.0.15.0

The problem is that this does not seem to match 183 and 184. What am I  missing here please? It seems so simple but I do not know why this is  failing...

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nikita Singh
Cisco Employee
Cisco Employee

‎03-12-2011 11:06 PM

Not sure what you are trying to do,

Are you trying to match this-

135.7.183.0/24

135.7.184.0/24

FYI- in 135.7.183.0/24 > 135.7.183.1- 135.7.183.254 is the host range, 135.7.183.0 is subnet id and 135.7.183.255 is the broadcast address.

The easiest way to do the above would be

access-list 1 permit 135.7.183.0 0.0.0.255

access-lsit 1 permit 135.7.184.0 0.0.0.255

Use the foll for better understanding:

http://www.subnet-calculator.com/subnet.php?net_class=B

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#standacl

Please rate the post if it helps.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nikita Singh
Cisco Employee
Cisco Employee

‎03-12-2011 11:06 PM

Not sure what you are trying to do,

Are you trying to match this-

135.7.183.0/24

135.7.184.0/24

FYI- in 135.7.183.0/24 > 135.7.183.1- 135.7.183.254 is the host range, 135.7.183.0 is subnet id and 135.7.183.255 is the broadcast address.

The easiest way to do the above would be

access-list 1 permit 135.7.183.0 0.0.0.255

access-lsit 1 permit 135.7.184.0 0.0.0.255

Use the foll for better understanding:

http://www.subnet-calculator.com/subnet.php?net_class=B

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#standacl

Please rate the post if it helps.

0 Helpful

Go to solution
news2010a
Level 3
Level 3
In response to Nikita Singh

‎03-13-2011 08:40 AM

In this case mask was not given. It is stricly match the 138.7.183.0 and 138.7.184.0 addresses (not network).


So OK I just wanted to confirm I was not getting crazy. In this case it is not possible to aggregate this into one entry. Thanks.

0 Helpful

Go to solution
sujinair
Level 1
Level 1

‎03-13-2011 12:16 AM

Hi

The logic that you used is correct, the only reason that this is not matching the traffic is because you have left the last octect as 0 in the mask. To match all the traffic the in both the subnets you need to have .255 in the mask in the last octet as shown below:

access-list 1 permit 135.7.176.0 0.0.15.255

else it would try to match only the network addresses 135.7.183.0 and 135.7.184.0 and will deny rest of the subnet IPs.

Regards,

Sujit

Customers Also Viewed These Support Documents
Top