We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

461 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Bruce,

    I used the .10 in the third octet since that’s the first network we try to match. With the wildcard bits we only match on those 4 networks. Let’s zoom in on those 4 networks and the wildcard:

    10 = 0000 1010
    26 = 0001 1010
    42 = 0010 1010
    56 = 0011 1010

    wc = 0011 0000

    by setting all bits to “0” we lock them, only the 3th and 4th bit is allowed to change:


    Those are the only 4 combinations you can make, resulting in network,, and…nothing else is matched.

    Now look at your wildcard (

    ... Continue reading in our forum

  2. Hey Rene,
    I wanted to ask about using access-lists to solve that classic problem of filtering odd or even routes. Suppose you were asked to create a filter that would allow a route if it were odd in the 2nd octet, and even in the 3rd octet. Obviously, you can accomplish it with this:

    ip access-list standard ACL_ALLOWODDEVEN
    permit any

    But what isn’t obvious to me, is why the following does NOT work:

    ip access-list standard ACL_COMBO
    permit any

    I thought they accomplis

    ... Continue reading in our forum

  3. Hi Andrew,

    These questions can be tricky…we’ll have to look at some binary numbers, especially the 2nd and 3th octect:

    2nd + 3rd = 00000000 00000001
    wildcard = 11111110 11111110

    So the only bits we care about are the 8th bit (has to be 0) and the 16th bit (has to be a 1).
    Once I apply your access-list on these addresses:

    Then here’s all that is left afterwards:

    Let’s look at all addressses’ 2nd and 3th octet in binary: = 00000000 00000000 = 00000000 0000

    ... Continue reading in our forum

  4. I must be slow today. I have read over your analysis many times, but I am still not understanding this. Let’s continue to use your range of 10 addresses for the example.

    If I take the entire set of 10. addresses, and run them through the ACL_ODDEVEN filter, just one is left:

    If I take the entire set of 10. addresses, and run them through the ACL_COMBO filter, a total of four is left (which is what you found above): <------ Also the result of ACL_ODDEVEN

    If we look at the results of the ACL_COMBO in binary (just th

    ... Continue reading in our forum

  5. Ok, I feel like a dope. I finally broke down and charted out what was happening in a spreadsheet. After doing this it became clear.

    Basically, it comes down to this–the ACL_COMBO is doing an “AND” while the ACL_ALLOWEVENODD is doing an “OR”.

    Part of the confusion here is that we are using the ACLs to deny, or filter out, routes (so the logic is flipped). The ACL_COMBO is written too restrictively (hence the resulting filtered set is too large).

    ACL_COMBO is saying “You are denied only if the last bit of the second octet is a zero AND the last bit of the 3rd

    ... Continue reading in our forum

19 more replies! Ask a question or join the discussion by visiting our Community Forum