Please help with this access-list / inverse mask exercise

Answered Question
Mar 7th, 2007
User Badges:

You want to deny access to all hosts that lie within the range 192.168.160.0/24-192.168.191.0/24.


Hosts in the 192.168.195.0/24 should be granted full access.



If I need to write this access-list, can you help me determine the inverse subnet mask for this? I am terrible at this type of exercise!


I would do


access-list 10 deny 192.168.?.? 0.0.?.255


But I can't figure out the rationale behind how

to include .160.0 and 191.0 but exclude

.195.0.


I wrote the following 3rd and 4th octet in binary:


.160.0 = 10100000.0000000

.191.0 = 10111111.0000000


Then the mask /24 at 3rd and 4th octet:

= 11111111.0000000


I know that "1" is don't care. "0" is match exactly.

How can I proceed from here?



Correct Answer by dgahm about 10 years 4 months ago

Marlon,

You have done the hard part with this:


.160.0 = 10100000.0000000

.191.0 = 10111111.0000000


Note that both bit patterns match as far as the 160 (101), and if the rest of the bits in the 3rd octet are ones you have 191 which is the top of your range. So if your mask is all 1s(don't care) from that point you would match 192.168.160.0 through 192.168.191.255.


access-list 10 deny 192.168.160.0 0.0.31.255


Note that adding the inverse mask to the address will show you the upper address in the range:


192.168.160.000

000.000.031.255

---------------

192.168.191.255


This is a quick double check on your mask.


Please rate helpful posts.


Dave




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
dgahm Wed, 03/07/2007 - 22:02
User Badges:
  • Blue, 1500 points or more

Marlon,

You have done the hard part with this:


.160.0 = 10100000.0000000

.191.0 = 10111111.0000000


Note that both bit patterns match as far as the 160 (101), and if the rest of the bits in the 3rd octet are ones you have 191 which is the top of your range. So if your mask is all 1s(don't care) from that point you would match 192.168.160.0 through 192.168.191.255.


access-list 10 deny 192.168.160.0 0.0.31.255


Note that adding the inverse mask to the address will show you the upper address in the range:


192.168.160.000

000.000.031.255

---------------

192.168.191.255


This is a quick double check on your mask.


Please rate helpful posts.


Dave




Actions

This Discussion