Standard ACLs

This seems trivial but to match a default-route using Standard ACL what would you use?

access-list 1 permit 0.0.0.0

or

access-list 2 permit 0.0.0.0 0.0.0.0

 

When using ACL #1 what is the assumed wildcard mask whenever you do not include one on a standard ACL?

 

I know that for "access-list 3 permit 192.168.1.0" it will match exactly 192.168.1.0 so this leads me to believe that the assumed wildcard mask is "0.0.0.0".  So should this same principle apply to ACL #1.  If so then what is difference between ACL #1 and #2?

Comments

  • Hi,

       All following three access-lists achieve the same result, which is match in host 0.0.0.0:

    access-list 1 permit host 0.0.0.0
    access-list 2 permit 0.0.0.0 0.0.0.0
    access-list 3 permit 0.0.0.0

    All result in "access-list 1 permit 0.0.0.0"; now with standard ACL you can match only on the prefix, not on the prefix length. In case of the default route, the prefix is 0.0.0.0, so all above ACL's match on the default route.

    Good luck with your studies!

  • Hi PinGorilla,

    Both ACL is same, you can use either: When you type 0.0.0.0 0.0.0.0, IOS automatically converts into 0.0.0.0:  see my example:

     

    R1(config)#access-list 2 permit 0.0.0.0

    R1(config)#do show access-list

    Standard IP access list 1

        10 deny   0.0.0.0 (3 matches)

        20 permit any (3 matches)

    Standard IP access list 2

        10 permit 0.0.0.0

    R1(config)#access-list 3 deny 0.0.0.0 0.0.0.0

    R1(config)#do show access-list

    Standard IP access list 1

        10 deny   0.0.0.0 (3 matches)

        20 permit any (3 matches)

    Standard IP access list 2

        10 permit 0.0.0.0

    Standard IP access list 3

        10 deny   0.0.0.0

    HAPPY STUDY

    [:D]

     

  • How about if you do:

    access-list 1 permit 192.168.1.0 vs

    access-list 1 permit 192.168.1.0 0.0.0.255

    What would be the difference here, is classful mask assumed if we don't type any wildcard?

  • Hi,

      If you do not specify wildcard, the default is 0.0.0.0(host keyword), so first will match on host 192.168.1.0, while second will match on 192.168.1.x.

    Good luck with your studies!

  • How about if you do:

    access-list 1 permit 192.168.1.0 vs

    access-list 1 permit 192.168.1.0 0.0.0.255

    What would be the difference here, is classful mask assumed if we don't type any wildcard?

    Cristian explained exactly, see here example:

     

    R1-R2 running RIP R1 has 192.168.1.1/32 and 192.168.1.10/32

    R2(config-router)#do show access-list

    Standard IP access list 1

        10 permit 192.168.1.0

        20 permit any (12 matches)

    Standard IP access list 2

        10 deny   192.168.1.0, wildcard bits 0.0.0.255 (14 matches)

        20 permit any (7 matches)

    R2(config-router)#do show ip route rip

    <removed>

    Gateway of last resort is not set

          1.0.0.0/32 is subnetted, 1 subnets

    R        1.1.1.1 [120/1] via 12.12.12.1, 00:00:01, FastEthernet1/0

          192.168.1.0/32 is subnetted, 2 subnets

    R        192.168.1.1 [120/1] via 12.12.12.1, 00:00:01, FastEthernet1/0

    R        192.168.1.10 [120/1] via 12.12.12.1, 00:00:01, FastEthernet1/0

    R2(config-router)#distribute-list 1 in

    R2(config-router)#do clear ip route *

    R2(config-router)#do show ip route rip

    <removed>

    Gateway of last resort is not set

          1.0.0.0/32 is subnetted, 1 subnets

    R        1.1.1.1 [120/1] via 12.12.12.1, 00:00:02, FastEthernet1/0

          192.168.1.0/32 is subnetted, 2 subnets

    R        192.168.1.1 [120/1] via 12.12.12.1, 00:00:02, FastEthernet1/0

    R        192.168.1.10 [120/1] via 12.12.12.1, 00:00:02, FastEthernet1/0

    R2(config-router)#no distribute-list 1 in

    R2(config-router)#distribute-list 2 in

    R2(config-router)#do clear ip route *

    R2(config-router)#do show ip route rip

    <removed>

    Gateway of last resort is not set

          1.0.0.0/32 is subnetted, 1 subnets

    R        1.1.1.1 [120/1] via 12.12.12.1, 00:00:07, FastEthernet1/0

    access-list 1 permit 192.168.1.0 matches host and access-list 1 permit 192.168.1.0 0.0.0.255 matches all host on 192.168.1.0/24 network.


    HAPPY STUDY

    [:D]

     

Sign In or Register to comment.