cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
700
Views
15
Helpful
9
Replies

Acess-list

akachroo123
Level 1
Level 1

I have to block 10.8.19.150 to 10.8.19.250 for internet, what mask should i use.

9 Replies 9

Richard Burts
Hall of Fame
Hall of Fame

Arun

trying to block the range of hosts from 150 to 250 is not a simple task and requires a combination of statements with different masks to include that specific range. It works out like this:

deny 10.8.19.150 0.0.0.1

deny 10.8.19.152 0.0.0.7

deny 10.8.19.160 0.0.0.31

deny 10.8.19.192 0.0.0.31

deny 10.8.19.224 0.0.0.15

deny 10.8.19.240 0.0.0.7

deny 10.8.19.248 0.0.0.1

deny 10.8.19.250 0.0.0.0

This will cover exactly the range from 150 to 250.

HTH

Rick

HTH

Rick

Rick,

I'm glad we used the same maths. It would have been pretty embarassing otherwise ;-)

Cheers,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Indeed it would have ;)

Cheers

HTH

Rick

Thanks for replying.

Harold Ritter
Cisco Employee
Cisco Employee

Arun,

If you only want to deny access to hosts between 10.8.19.150 to 250 inclusively and nothing else then this cannot be done with one statement, you could use something like this:

access-list 1 deny 10.8.19.150 0.0.0.1

access-list 1 deny 10.8.19.152 0.0.0.7

access-list 1 deny 10.8.19.160 0.0.0.31

access-list 1 deny 10.8.19.192 0.0.0.31

access-list 1 deny 10.8.19.224 0.0.0.15

access-list 1 deny 10.8.19.240 0.0.0.7

access-list 1 deny 10.8.19.248 0.0.0.1

access-list 1 deny 10.8.19.250 0.0.0.0

access-list 1 permit any

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

dear sir...why cant we use the mask deny 10.8.19.150 0.0.0.100 so tht all hosts from 10.8.19.150 tupto 10.2.19.250 get blocked..??

The 0.0.0.100 doesn't mean the next 100 hosts.

Access-lists use a reverse bit mask (wildcard mask) to determine the address range. A reverse bit mask is a binary mask where one values mean "do not care".

So for instance, 10.8.19.0 0.0.0.255 represents the range 10.8.19.0 to 10.8.19.255 as we do not care what is the value of the last octect.

10.8.19.150 0.0.0.1 represente range 10.8.19.150 to 10.8.19.151 as we do not care about the last bit in this example.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Your question implies that the mask is a count of how many addresses to apply to. But that is not how the mask works. In access list masks the numbers given are converted into binary and each digit where there is a binary zero is a bit that must match in the address. So the mask of 0.0.0.100 would not match from 150 to 250.

HTH

Rick

HTH

Rick

Jai,

Have a look at this ACL wild card mask tutorial and see if it makes sense.

http://www.2000trainers.com/cisco-ccna-09/ccna-access-list-wildcard-mask/

After reading this if you still have any further questions just give us a shout.

HTH

Sundar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco