Ok. Firstly let me say I know this is the most elementary of topics for those well versed in LAN/WAN networking. Up until today I had believed that an ACL configured as either a permit or deny statement with 10.10.15.128 0.0.0.127 would deny/permit everything from 129 up to 255. I've learned that it will also permit/deny a host that actually has the IP address 10.10.15.208. I've read several of my books, including Jeff Doyle's Routing TCP/IP vol 1 second edition that has appendix B which is a tutorial on ACLs. Everything I've read states that anything on the 10.10.15.128 subnet would be allowed/denied. Can anyone explain this to me? Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
ACL wildcard (inverse) mask question
- Thread starter steyler
- Start date
10.10.15.128 0.0.0.127=10.10.15.128 255.255.255.128, which means wire=10.10.15.128, useable IP addresses are 10.10.15.129 through 10.10.15.254, broadcast is 10.10.15.255. Both of your assumptions are correct. To get the actual subnet mask from the wildcard (inverse) mask, simply take the wildcard and subtract it from 255.255.255.255
So...
255.255.255.255
0. 0. 0.127
-
----------------
255.255.255.128
Burt
So...
255.255.255.255
0. 0. 0.127
-
----------------
255.255.255.128
Burt
jneiberger
Technical User
Steyler, I'm confused by your confusion. You state that you thought that the ACL would affect the .127-.255 range, but then wonder why it affects .208, which is in that range. Did you make a typo or am I just misreading what you wrote? (That's entirely possible. I'm super tired and need massive amounts of coffee.)
- Thread starter
- #5
My post should have read 10.10.15.128. Not 10.10.15.208. So essentially the acl reads deny 10.10.15.128 0.0.0.127 and it will deny a host that is assigned the address 10.10.15.128. The way I understood the inverse mask was that only 129-254 (255 being broadcast)would be denied.
jneiberger
Technical User
That makes sense. The trick to remembering all this stuff is to think in binary. Forget decimal at first while you learn it.
The mask 0.0.0.127 converted to binary looks like this:
0000000.00000000.00000000.01111111
As you know, the 1s indicate the "don't care" bits when you're discussing wildcard masks in ACLs. The 0s are the bits that must match. Now, convert the other part of the ACL to binary. 10.10.15.128 in binary is:
00001010.00001010.00001111.10000000
If you apply the binary mask to that, you'll see that all matches must have 10.10.15 in the first three octets. You'll also notice that any value that has a one bit in that first position (or eighth, depending on your viewpoint) will match.
In other words, for the last octet, anything from 10000000 to 11111111 is a match. Convert that to decimal and you have 128 to 255.
HTH,
John
The mask 0.0.0.127 converted to binary looks like this:
0000000.00000000.00000000.01111111
As you know, the 1s indicate the "don't care" bits when you're discussing wildcard masks in ACLs. The 0s are the bits that must match. Now, convert the other part of the ACL to binary. 10.10.15.128 in binary is:
00001010.00001010.00001111.10000000
If you apply the binary mask to that, you'll see that all matches must have 10.10.15 in the first three octets. You'll also notice that any value that has a one bit in that first position (or eighth, depending on your viewpoint) will match.
In other words, for the last octet, anything from 10000000 to 11111111 is a match. Convert that to decimal and you have 128 to 255.
HTH,
John
I see what he's saying---.128 can be a host address...
int fa0/0
ip add 10.10.15.128 255.255.255.0
no shut
access-list 101 deny ip 10.10.15.128 0.0.0.127 any
access-list permit ip any any
int s0/0
ip access-group 101 out
This will deny packets from fa0/0 going out. In this case, the acl makes it look like .128 is the network address, but fa0/0 makes it a host address, and so it is blocked.
Burt
int fa0/0
ip add 10.10.15.128 255.255.255.0
no shut
access-list 101 deny ip 10.10.15.128 0.0.0.127 any
access-list permit ip any any
int s0/0
ip access-group 101 out
This will deny packets from fa0/0 going out. In this case, the acl makes it look like .128 is the network address, but fa0/0 makes it a host address, and so it is blocked.
Burt
NetworksMD
Programmer
Burt,
I think you meant:
int fa0/0
ip access-group 101 out
to deny packets out of fa0/0.
However, I can’t think of a scenario where you would deny traffic to half of your subnet. Sounds like a good CCNA trouble shooting question though. You could build an inverse ACL mask like this for policy routing though.
The easiest way I think of it is that a ACL wildcard mask is not classful but is a binary mask match as John has said and the easiest way to figure which HOSTS it starts at is by subtracting from 255 like Burt had mentioned.
I think you meant:
int fa0/0
ip access-group 101 out
to deny packets out of fa0/0.
However, I can’t think of a scenario where you would deny traffic to half of your subnet. Sounds like a good CCNA trouble shooting question though. You could build an inverse ACL mask like this for policy routing though.
The easiest way I think of it is that a ACL wildcard mask is not classful but is a binary mask match as John has said and the easiest way to figure which HOSTS it starts at is by subtracting from 255 like Burt had mentioned.
- Thread starter
- #9
Thanks for the input everyone. It'll take a while for me to wrap my brain around but I'll get it. I am really surprised that not a single book I read covered this with an example. In every publication I read the example was always on a classful boundary and thus easy to understand. Thanks.
jneiberger
Technical User
Well, there's your problem. Completely forget the concept of classes. It's 100% irrelevant to the discussion at hand. If you think of this in binary, it will all make sense. If you ignore the concept of class, which is an outdated concept that is no longer useful anyway, you have masks that look like this (in binary):
/24 = 11111111111111111111111100000000
/25 = 11111111111111111111111110000000
Invert them to make wildcard masks:
/24 = 00000000000000000000000011111111
/25 = 00000000000000000000000001111111
See? No need for any arbitrary boundaries. The math--and the process--is the same no matter what.
Here's a good website that discusses this sort of thing:
What exactly about this particular example is causing confusion for you? Perhaps we can phrase the answer in a different way. I remember being pretty confused about this stuff when I was starting out. I also remember that classful thinking made it FAR more difficult than it needed to be.
/24 = 11111111111111111111111100000000
/25 = 11111111111111111111111110000000
Invert them to make wildcard masks:
/24 = 00000000000000000000000011111111
/25 = 00000000000000000000000001111111
See? No need for any arbitrary boundaries. The math--and the process--is the same no matter what.
Here's a good website that discusses this sort of thing:
What exactly about this particular example is causing confusion for you? Perhaps we can phrase the answer in a different way. I remember being pretty confused about this stuff when I was starting out. I also remember that classful thinking made it FAR more difficult than it needed to be.
My poor example was with s0/0 as the outgoing interface, as in packets from that 1/2 of the subnet can't go out of the router. fa0/0 would be the inside interface. It was simply to show that .128 could be a host address, but be meant as the wire in an acl.
Burt
Burt
- Status