- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Access List help!! [7:63644] posted 02/25/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Jason Steig wrote:
> so you're saying that my statement
> ip access-list 1 permit ip will permit
> all hosts from network and
> 17 is  00010001
> 81 is  01010001

You corrected my typo on 81. That's good. :-)

> so the bit it doesn't match on is the 64 bit.  so i just have
> to switch it around if your saying the ones don't count

No, see my second message. You don't have to switch it around.

A zero in the access-list mask means a bit in the same position in an
address in an incoming (or outgoing) packet must match the bit in the
address you specify in the access list.

(That's a complicated sentence, but read it again if you don't get it. You
must understand it to grapple with Cisco access-list masks that show up
everywhere in Cisco IOS.)

A one in the access-list mask means that a bit in the same poistion in an
address in a packet doesn't need to match the bit in the address you specify
in the access list.

A bit in the 2^6 position (64 in decimal) could be either one or zero in
your example if you want either decimal 17 or 81 to match. So we need to
make sure that in the access-list mask we say we don't care which it is, a
one or a zero, so we use one in the access-list mask. One means I don't
care; it can be either one or zero.

But the other bits must match to catch both decimal 17 and 81 and nothing
more. So the mask for that part is 01000000 or 64 in decimal.

> so it would be ??
> becuase if the zeros must match and ones don't count then that
> would be it then??
>  or is is  becuase the last octet is 255 so it
> allows all hosts?

Yes if you want all hosts, then you don't care if the bits in that part of
the address in a packet are one or zero, so you better use all ones (255 in
decimal) in that part of the access-list mask.

So, the answer is 

Absolutely, do NOT use some stupid subnet calculator to do this. :-) You
have to work it out in binary and you have to understand access-list masks.

By the way, in real networks, we summarize addresses. If you really had to
set up an access list that would allow or deny those two disparate networks,
you should fire your network designer.

In the past we made a big deal out of the need to summarize in order to
enhance performance and reduce routing table sizes and update packets.

These days, the need to summarize is even more important for security
reasons. The last thing you want is to have to spend hours with confused
engineers (like me! ;-) trying to figure out access lists. You want the
access lists to be simple and easy to get working. If you don't summarize
addresses, your access lists can't be simple.


Message Posted at:
FAQ, list archives, and subscription info:
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx