ACL Headache

I am running a Catalyst 6509. I have a class C address split into 2 subnets with gateways of lets say and

The upper range of addresses are to be exempt from the ACL so I need a permit statement at the top of my ACL that permits any address greater than 43.128 but forces the lower addresses down through the ACL.

I'v tried something like this:

ip access-list extended testme permit ip any any

--insert other ACL's here-- permit ip any any

but it doesn't seem to be working. 43.220 is still logging a deny on tcp port 445, 135, 137, 111......

When I do a sho run | begin testme, I get this as the first line of the ACL:

permit ip any any

It changes 43.129 to 43.1

What am I missing? These wildcard bits are chewing my brain man! I gotta get this working like this because the upper addresses are part of a global network and need the ports I am blocking to be accessable for their address range.

Reply to
Loading thread data ...

On 16.05.2005 20:01 05hammer wrote


ip access-list extended testme permit ip any


Reply to
Arnold Nipper

Your wildcard bits are wrong. One easy way to remember is to subtract the subnet masks from So, becomes


Reply to

jeesh! I knew that too! I learned it like this - the numbers in the filter mask are a power of 2 minus 1. So, yeah .127 is the correct address. I'll go give it a go. Thanks again!

I h8 mondays sometimes!

Reply to

The wildcards bits are also known as the "bizarro mask" :-)


Reply to

The long term fix to this type of problem is to use the representation that best fits the problem. In this case binary representation is the most convenient.

128 = 1000 0000 127 = 0111 1111

It's hard for me to say how much effort is involved in learning from scratch since I have been using it regularly for so long now.

Luckily IP V6 is going to make it all much easier.

formatting link

Reply to
anybody43 Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.