ACL Wildcard Bits

Does new IOS support random On Off bits in Wild Card mask ?

I tried wild card mask of 0.0.10.255 and 0.0.5.255 and it worked.

Kindly help to enhance my understanding.

Thanks,

Comments

  • Hi,

      This has been supported since always (at least since i started networking 5 years ago :) ). This is the power of wildcard masks, you can match on any bit; a wildcard mask of 1.3.127.0 is correct :) Wildcard mask is not the reverse of mask as most people think, and there are no rules in wildcard mask as there are in the subnet mask.

    Good luck with your studies!

  • access-list CANNOT check the subnet mask of a network. It can only check bits to make sure they match, nothing more.

  • Hi,

    Correction, in BGP filtering, with extended ACL you can match on both the prefix and the prefix length; in IGP when filtering with ACL you cannot match on prefix-length; however this was not the question :)

    Good luck with your studies!

  • Thank you for correcting me. And would like to know if it is for whole bgp or for any specific scenario in bgp ?

    Kindly elaborate.

  • would like to know if it is for whole bgp or for any specific scenario in bgp ?

    Let's take one extended ACL on distribute-list command

    In IGP distribute-list  source field in the ACL matches the update
    source of the route coming from, and the destination field represents
    the network address. But in BGP extended ACL is not same as IGP but it matched the address and netmask.

    I hope this helps you to understand

    HAPPY STUDY

    [:D]

  • Hi,

      If you use a standard ACL for filtering you can match only on the prefix (behavior is same for both IGP and BGP). For example with 10.10.10.0 0.0.0.255 you match on prefixes 10.10.10.x with any mask (however for such prefixes mask can be between 24 and 32).

      If you use extended ACL for filtering, in IGP you can match on the source of the update and the prefix, in BGP you can match on both the prefix and prefix length. For example with 10.10.10.1 0.0.0.0 11.11.11.0 0.0.0.255 in IGP you will match prefixes of 11.11.11.x with any mask (however for such prefixes mask can be between 24 and 32) received from ONLY 10.10.10.1 (your IGP neighbor). For example with 10.10.10.0 0.0.0.0 255.255.255.0 0.0.0.0 in BGP you will match exactly on 10.10.10.0/24.

     There is a reason for which in BGP you cannot match on the source of the update, cause in BGP filtering is made per neighbor, so the filtering is already applied for that source.

    Good luck with your studies!

Sign In or Register to comment.