07-09-2008 12:09 AM - edited 03-03-2019 10:39 PM
Consider the following ACL statement,
access-list 101 permit ip 202.160.13.10 0.12.80.0 any
unlike to many other ACLs,this doesnt follow the subnet sequence (e.g.access-list 40 deny 192.168.20.16 0.0.0.15).
So what do you think the above mentioned ACL statement mean? I mean which source addresses would be allowed in the above mentioned ACL ?
Thanks
Solved! Go to Solution.
07-09-2008 01:10 AM
I did it in my head, so my explanation will be a bit intuitive and unrigorous. OK, looking at the mask and breaking it down to bits:
12 = 0000 1100 = 8+4
80 = 0101 0000 = 64+16
So, y is 160 plus any combination of 4 and 8, i.e. 160, (160+4), (160+8), (160+8+4)
Similarly, x is 13, plus any combination of 16 and 64, i.e. 13, (13+16), (13+64), (13+64+16)
But first I checked that 160 did not have the 4 bit or the 8 bit set, otherwise the statement would have got modified as you type it in.
Similarly, I checked that 13 did not have the 16 bit or the 64 bit set.
Kevin Dorrell
Luxembourg
07-09-2008 12:49 AM
Either this is a mistake, or it was designed by someone who is very clever at access lists. ;-)
It allows 202.x.y.10, where:
x = 160, 164, 168, 172
y = 13, 29, 77, 93
I hope I got that right, but I'm sure someone will check my working.
Kevin Dorrell
Luxembourg
07-09-2008 12:53 AM
well it wasnt a mistake for sure ...
thanks for your reply Kevin, but could you please explain your working?
regards
07-09-2008 01:10 AM
I did it in my head, so my explanation will be a bit intuitive and unrigorous. OK, looking at the mask and breaking it down to bits:
12 = 0000 1100 = 8+4
80 = 0101 0000 = 64+16
So, y is 160 plus any combination of 4 and 8, i.e. 160, (160+4), (160+8), (160+8+4)
Similarly, x is 13, plus any combination of 16 and 64, i.e. 13, (13+16), (13+64), (13+64+16)
But first I checked that 160 did not have the 4 bit or the 8 bit set, otherwise the statement would have got modified as you type it in.
Similarly, I checked that 13 did not have the 16 bit or the 64 bit set.
Kevin Dorrell
Luxembourg
07-09-2008 01:14 AM
I agree with Kevin's working, the wildcard works in binary and when written in binary where there is a 1 then a 1 or a 0 is allowed in the equivalent bit position in the IP address. Where there is a zero it has to be an exact match. Thus if you turn 12 and 80 into binary bit patterns, match them against corresponding binary addresses positions the allowable positions are those given by kevin.
07-09-2008 02:00 AM
Thanks a lot
:)
07-09-2008 07:18 PM
Thanks alot for your reply Kevin I have a better understanding of ACL's now, so am I correct in assuming from the earlier problem
Ex : 202.20.20.13 0.12.80.0
That obviously 202, and 13 remain, however
20 is at .12
Meaning that
12 = 0000 1100 = 8 8+4
and
20 is at .80
80 = 1100 0000 = 84 64+16
combination of
202.20.20.13
202.28.84.13
202.32.100.13
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide