Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
641
Views
0
Helpful
2
Replies

ACL with wildcard mask

Go to solution
mahesh18
Level 6
Level 6

‎09-24-2013 05:32 PM - edited ‎03-07-2019 03:39 PM

                   Hi Everyone,

Router has below ACL  configured

access-list 106 permit 0.0.0.0.27 255.255.255.224 host 200.x.x.x.x

Need to know which IP address will this ACL allow?

Regards

Mahesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-24-2013 06:40 PM

Hi Mahesh,

It seems to me the wildcard mask in this ACL has not been converted from subnet notation to the wildcard notation, and as a result, the ACL matches a very peculiar and unintended set of sources. The 255 octets of the wildcard mask signify that corresponding octets of an IP address may be arbitrary. Regarding the last octet of the wildcard mask, the situation in binary is as follows:

27  in binary is 00011011 
224 in binary is 11100000
The matching is then as follows:
00011011
iiimmmmm
where i means ignore and m means match

Notice that in this octet, the wildcard mask requires that the IP address matches on the rightmost 5 bits carrying the total value of 27, and the leftmost 3 bits (carrying values of 32, 64 and 128) will not be matched, meaning they can be arbitrary. By enumerating all their combinations of set/not-set and evaluating the resulting octet value, you get 8 values:

27+0=27

27+32=59

27+64=91

27+96=123

27+128=155

27+160=187

27+192=219

27+224=251

So the set of sources this ACL would match has the following symbolic format:

...

Best regards,

Peter

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-24-2013 06:40 PM

Hi Mahesh,

It seems to me the wildcard mask in this ACL has not been converted from subnet notation to the wildcard notation, and as a result, the ACL matches a very peculiar and unintended set of sources. The 255 octets of the wildcard mask signify that corresponding octets of an IP address may be arbitrary. Regarding the last octet of the wildcard mask, the situation in binary is as follows:

27  in binary is 00011011 
224 in binary is 11100000
The matching is then as follows:
00011011
iiimmmmm
where i means ignore and m means match

Notice that in this octet, the wildcard mask requires that the IP address matches on the rightmost 5 bits carrying the total value of 27, and the leftmost 3 bits (carrying values of 32, 64 and 128) will not be matched, meaning they can be arbitrary. By enumerating all their combinations of set/not-set and evaluating the resulting octet value, you get 8 values:

27+0=27

27+32=59

27+64=91

27+96=123

27+128=155

27+160=187

27+192=219

27+224=251

So the set of sources this ACL would match has the following symbolic format:

...

Best regards,

Peter

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Peter Paluch

‎09-25-2013 01:50 PM

Hi Peter,

Thanks for explaining it in so detail.

Seems it was little  tricky to know allowed hosts in less time as yesterday i need to config ACL on the router in quick time.

I

Only you can do this.

Best Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card