Access-list mask or wildcard

G’day all, today I was messing around with access-list.  And after getting my head around the weird subnets of rfc1918. Weird as in an A-class (/8) is reserved in A-space, B-class (/16) in reserved in C-space, and for the B-space has a /12 is reserved. Nothing is standard in the world of standards.

But that on a side-note. The whole rfc1918 got me distracted. So when I started creating the access-list, I mistakenly used the subnet mask instead of the wildcard.

First I made the access-list using subnet masks.

ISP1-R1(config)#ip access-list extended rfc1918-wrong
ISP1-R1(config-ext-nacl)#permit ip 10.0.0.0 255.0.0.0 any
ISP1-R1(config-ext-nacl)#permit ip 172.16.0.0 255.240.0.0 any
ISP1-R1(config-ext-nacl)#permit ip 192.168.0.0 255.255.255.0 any
ISP1-R1(config-ext-nacl)#deny ip any any
ISP1-R1(config-ext-nacl)#exit

Next I made the access-list using wild cards.

ISP1-R1(config)#ip access-list ex rfc1918-right
ISP1-R1(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 any
ISP1-R1(config-ext-nacl)#permit ip 172.16.0.0 0.15.255.255 any
ISP1-R1(config-ext-nacl)#permit ip 192.168.0.0 0.0.255.255 any
ISP1-R1(config-ext-nacl)#deny ip any any

I check the things that I do in a network. I think its a good habit and somebodies health might depend on it.

ISP1-R1#sh access-lists
Extended IP access list rfc1918-wrong
10 permit ip 0.0.0.0 255.0.0.0 any
20 permit ip 0.0.0.0 255.240.0.0 any
30 permit ip 0.0.0.0 255.255.255.0 any
40 deny ip any any
Extended IP access list rfc1918-right
10 permit ip 10.0.0.0 0.255.255.255 any
20 permit ip 172.16.0.0 0.15.255.255 any
30 permit ip 192.168.0.0 0.0.255.255 any
40 deny ip any any

You see that the access-list made using subnet mask are completely borked.

The moral of the story is as follows;

  • always check what you have configured.
  • Use subnet mask to assign ip addresses to interfaces ans wildcards for accesslists.

 

Advertisements
This entry was posted in CCNP and tagged , , , , . Bookmark the permalink.