Access List Wildcard Error

So one of the issues coming up that was a minor but easily fixable was an ACL change that was widespread.  Throughout this change a host needed to be allowed to several hosts in multiple octets. An issue that they had was the ACL would change when they looked up the ACL list and didn't know why.


ACL Request Example:

Permit connection from My Personal PC to all Active Directory Servers.


MY PC :  10.10.10.11

Active Directory Servers:  192.168.X.9 - 12
       ****Each store is on the 192.168.X.9 through 12. The "X" represents the number relevant to the store location. 
The ACL that was placed:

 access-list 100 permit ip host 10.10.10.11 192.168.1.9 0.0.0.255.3
Show access-list results:

 20 permit ip host 10.10.10.11 192.168.0.8 0.0.255.3
So what happened? The ACL was put in place and they expected to see a "9" as the starting digit. Allowing an increment through 9, 10, 11, 12 for access. 
The output is the way it is because of what I like to say as the "multiple" factor. 
In IP world we always include "0" zero as a  number or in this case the first starting number of each range. Knowing we are covering a range from 0 - 3 or 9 - 12. That is a total of "4" four numbers. 

 So since it is a case of 4 numbers we must increment either our ACL Wildcard to include 4 which would be from 8 to 12.
New ACL
access-list 100 permit ip host 10.10.10.11 192.168.1.8 0.0.255.4

Show access-list results:

30 permit ip host 10.10.10.11 192.168.0.8 0.0.255.4


As we can see it remains 8 because we used the correct increment value for the wildcard mask. Just a reminder we can also create two separate ACL's that will allow seperately 9, 10, 11 and then one ACL for 12. 




Comments

Post a Comment

Popular posts from this blog

HULC LED PROCESS - 3750 High CPU

Image
If you're looking at a switch and you see the HULC LED Process running high. The HULC LED process does some of the following tasks: 1. Check link status on every port 2. If the switch supports POE, it checks to see if there is a power device 3. Transceiver checks 4. Fan status updates 5. Set LED ports 6. Check on temperature status Overall the HULC LED Process is a monitoring process running. During looking into this I turned off all non-used ports since it checks the link status. Then I made sure the environment was good. Two Cisco Bugs: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsi78581 http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn42790
Read more

%PLATFORM_UCAST-4-PREFIX: --------- TCAM 3750 Switch

Image
 %PLATFORM_UCAST-4-PREFIX:  One or more, more specific prefixes could not be programmed into TCAM and are being covered by a less specific prefix, and the packets may be software forwarded So what is TCAM ? Ternary Content Addressable Memory is used in multi-layer switching also know as Layer 3 switching. The switches forward the packets and frames at the speed of the line by using ASIC hardware. Normally switches make there forwarding decisions based on Layer 2. TCAM is used for Layer 3 components and other features such as QOS and ACES ( Access List ).  Check TCAM and usage of templates being used in the device.  show sdm prefer ? ! This will show us the templates that can be used in the device to give more resources to one feature or the other. For example the default is the equal resource distribution while the routing gives more resources to Layer 3 routing. show sdm prefer ! The command without the "?" will show us what we are currently r
Read more