why access-list does not use the netmask to specify the hosts?

in a netmask way, 10.10.0.0 255.255.0.0. While in access-list, it becomes 10.10.0.0/0.0.255.255. Why access-list not use the netmask way?

Find more posts tagged with

Comments

Roguetadhg

It's just the way it is.

Also, it's called a wild-card mask. Not a subnet mask. Big difference, as you can figure out

vishaw1986

Hey Jojn ,

Yes its is in program to use wild card mask with the access-list , as it has benefit of using the wildcard mask with the access-list , as subnet mask is contiguous and wild card mask is non-contiguous means suppose If we wanted to match on 2 IP addresses, based on the first 8 bits matching, as well as bits 17-24, a traditional mask can't pull that one off (because they have to be in order, from high to low), but the wild card mask could using 0.255.0.255

mapletune

Thanks vishaw,

that's a great answer

+rep!

johnifanx98

vishaw1986 wrote: »

Hey Jojn ,

Yes its is in program to use wild card mask with the access-list , as it has benefit of using the wildcard mask with the access-list , as subnet mask is contiguous and wild card mask is non-contiguous means suppose If we wanted to match on 2 IP addresses, based on the first 8 bits matching, as well as bits 17-24, a traditional mask can't pull that one off (because they have to be in order, from high to low), but the wild card mask could using 0.255.0.255

Very very great!

vishaw1986

Thanks to all .....

johnifanx98

vishaw1986 wrote: »

Hey John ,

Yes its is in program to use wild card mask with the access-list , as it has benefit of using the wildcard mask with the access-list , as subnet mask is contiguous and wild card mask is non-contiguous means suppose If we wanted to match on 2 IP addresses, based on the first 8 bits matching, as well as bits 17-24, a traditional mask can't pull that one off (because they have to be in order, from high to low), but the wild card mask could using 0.255.0.255

Still have a question. Even ACL algorithm allows matching of non-contiguous blocks, it makes more sense to use bit 1 to represent the bits matter. In your example, the mask can be 255.0.255.0.

james43026

The subnet mask was built for one reason, and one reason only. To tell you what bits in an IP address belong to the network portion of the address, and which bits belong to the host portion. A wildcard mask doesn't follow the same conventions, they don't need to be contiguous, and instead of representing what bits belong to a network, they represent what bits are available for inspection, and what bits aren't available for inspection. The reason you wouldn't use a subnet mask in an ACL, is that you would only be able to define very broad spectrums of addresses, and would have no granularity. With a wildcard mask you could do something like this.

Match all 192.168.x.1 addresses:

permit 192.168.0.1 0.0.255.0

This isn't something that you can do with a subnet mask. As the IETF designed and standarized the subnet mask/CIDR in 1993, and as such, no vendor can use a subnet mask in a way that is not specified in the IETF standards of CIDR.

Which is why the wildcard mask was created, although I believe the wildcard mask actually pre-dates the invention of CIDR.