09-24-2013 05:32 PM - edited 03-07-2019 03:39 PM
Hi Everyone,
Router has below ACL configured
access-list 106 permit 0.0.0.0.27 255.255.255.224 host 200.x.x.x.x
Need to know which IP address will this ACL allow?
Regards
Mahesh
Solved! Go to Solution.
09-24-2013 06:40 PM
Hi Mahesh,
It seems to me the wildcard mask in this ACL has not been converted from subnet notation to the wildcard notation, and as a result, the ACL matches a very peculiar and unintended set of sources. The 255 octets of the wildcard mask signify that corresponding octets of an IP address may be arbitrary. Regarding the last octet of the wildcard mask, the situation in binary is as follows:
27 in binary is 00011011
224 in binary is 11100000
The matching is then as follows:
00011011
iiimmmmm
where i means ignore and m means match
Notice that in this octet, the wildcard mask requires that the IP address matches on the rightmost 5 bits carrying the total value of 27, and the leftmost 3 bits (carrying values of 32, 64 and 128) will not be matched, meaning they can be arbitrary. By enumerating all their combinations of set/not-set and evaluating the resulting octet value, you get 8 values:
27+0=27
27+32=59
27+64=91
27+96=123
27+128=155
27+160=187
27+192=219
27+224=251
So the set of sources this ACL would match has the following symbolic format:
Best regards,
Peter
09-24-2013 06:40 PM
Hi Mahesh,
It seems to me the wildcard mask in this ACL has not been converted from subnet notation to the wildcard notation, and as a result, the ACL matches a very peculiar and unintended set of sources. The 255 octets of the wildcard mask signify that corresponding octets of an IP address may be arbitrary. Regarding the last octet of the wildcard mask, the situation in binary is as follows:
27 in binary is 00011011
224 in binary is 11100000
The matching is then as follows:
00011011
iiimmmmm
where i means ignore and m means match
Notice that in this octet, the wildcard mask requires that the IP address matches on the rightmost 5 bits carrying the total value of 27, and the leftmost 3 bits (carrying values of 32, 64 and 128) will not be matched, meaning they can be arbitrary. By enumerating all their combinations of set/not-set and evaluating the resulting octet value, you get 8 values:
27+0=27
27+32=59
27+64=91
27+96=123
27+128=155
27+160=187
27+192=219
27+224=251
So the set of sources this ACL would match has the following symbolic format:
Best regards,
Peter
09-25-2013 01:50 PM
Hi Peter,
Thanks for explaining it in so detail.
Seems it was little tricky to know allowed hosts in less time as yesterday i need to config ACL on the router in quick time.
I
Only you can do this.
Best Regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide