Hello Kenneth
In this example here, the access list is being used in conjunction with a distribution list The distribute-list is referencing the access list in the distribute-list 100 in command. In particular, when an extended access list is called by a distribute-list, the actual IP addresses and subnet masks have a different meaning.
In such a scenario, the ACL is not matching source and destination pairs, but addresses and subnet masks. So the following ACL command:
R1(config)#access-list 100 permit ip 20.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0
when referenced by a distribute list is saying:
- I want to match 20.0.0.0 exactly as the IP address
- I want to match 255.0.0.0 exactly as the subnet mask
The “exactly” comes from the 0.0.0.0. If the command was:
R1(config)#access-list 100 permit ip 20.0.0.0 255.255.255.0 255.0.0.0 0.0.0.0
then what it’s saying is:
- I want to match any IP address between 20.0.0.0 to 20.0.0.255
- that has a subnet mask that matches 255.0.0.0 exactly
When you see the output of the show access-lists 100 command, it uses the ACL syntax of “host” wherever it sees the 0.0.0.0, and that’s why it can be confusing in the context of a distribute-list.
What that output is actually saying is that it will match 20.0.0.0 exactly as the IP address, and 255.0.0.0 exactly as the subnet mask.
For more info on how extended ACLs and distribute-lists interact, take a look at this link:
I hope this has been helpful!
Laz