Mar 7th, 2007

You want to deny access to all hosts that lie within the range 192.168.160.0/24-192.168.191.0/24.

Hosts in the 192.168.195.0/24 should be granted full access.

If I need to write this access-list, can you help me determine the inverse subnet mask for this? I am terrible at this type of exercise!

I would do

access-list 10 deny 192.168.?.? 0.0.?.255

But I can't figure out the rationale behind how

to include .160.0 and 191.0 but exclude

.195.0.

I wrote the following 3rd and 4th octet in binary:

.160.0 = 10100000.0000000

.191.0 = 10111111.0000000

Then the mask /24 at 3rd and 4th octet:

= 11111111.0000000

I know that "1" is don't care. "0" is match exactly.

How can I proceed from here?

Marlon,

You have done the hard part with this:

.160.0 = 10100000.0000000

.191.0 = 10111111.0000000

Note that both bit patterns match as far as the 160 (101), and if the rest of the bits in the 3rd octet are ones you have 191 which is the top of your range. So if your mask is all 1s(don't care) from that point you would match 192.168.160.0 through 192.168.191.255.

access-list 10 deny 192.168.160.0 0.0.31.255

192.168.160.000

000.000.031.255

---------------

192.168.191.255

Dave

Overall Rating: 5 (2 ratings)

## Replies

dgahm Wed, 03/07/2007 - 22:02
• Blue, 1500 points or more

Marlon,

You have done the hard part with this:

.160.0 = 10100000.0000000

.191.0 = 10111111.0000000

Note that both bit patterns match as far as the 160 (101), and if the rest of the bits in the 3rd octet are ones you have 191 which is the top of your range. So if your mask is all 1s(don't care) from that point you would match 192.168.160.0 through 192.168.191.255.

access-list 10 deny 192.168.160.0 0.0.31.255

192.168.160.000

000.000.031.255

---------------

192.168.191.255