[c-nsp] non-CIDR netmasks in ACLs

Robert E.Seastrom rs at seastrom.com
Tue May 17 23:02:53 EDT 2005


"David J. Hughes" <bambi at hughes.com.au> writes:

>>> IOS allows me to add an ACL like:
>>>   access-list 100 permit ip 1.2.96.4 0.0.15.0
>>>
>>> However.... "What will it break"?  From the viewpoint of simply 
>>> tweaking
>>> the bits, it looks valid, but...  At the same time, I'd rather have a
>>> single ACL statement for 16 hosts, not 16 lines.
>>
>> It'll work just fine.
>
> I broke a PIX a couple of years ago using a discontiguous netmask but 
> that was fixed in a later release.  Never tried it on anything else.

it is worth noting that ACLs do not have netmasks.  they have wildcard
bits, where 0 means "must match" and 1 means "don't care" (the
opposite of how a netmask is traditionally notated).

while i wouldn't be surprised if there were code in tcp stacks that
didn't deal well with discontiguous netmasks (the stack itself should
be ok, but "longest match" in the routing code could take on a whole
new meaning with discontiguous netmasks), i would be equally surprised
if ACLs with any setting of the wildcard bits your heart desires
didn't work.

                                        --rob




More information about the cisco-nsp mailing list