i would like to block a network 10.10.10.0 using an ACL but exclude the firts 100 IPs. Is it possible?
This link has information about using access lists on the 2950 switch.
The good news is that it clearly says that access lists such as this can be used on the 2950. But the bad news is that it says that an access list on an interface can use only a single mask.
Based on this I do not believe that the access list as we have shown it could be applied to an interface on the 2950.
There are no one line way to do it, but the easiest way to do it is this way (if you want to block source addresses):
access-list 10 permit ip 10.10.10.0 0.0.0.63
access-list 10 permit ip 10.10.10.64 0.0.0.63
access-list 10 permit ip 10.10.10.96 0.0.0.3
access-list 10 permit ip 10.10.10.100 0.0.0.0
access-list 10 deny ip 10.10.10.0 0.0.0.255
You must understand same techniques, which are used in summarization to be able to create efficient access-lists.
It is certainly possible to exclude the first 100 IPs. It would take multiple statements to do it, but it certainly can be done. If you want to block 10.10.10..0 you could have a single statement to deny that address block. If you want to exclude the first 100 addresses you would have to put statements before the deny for 10.10.10.0 that would permit the first 100 addresses. So the access list might look something like this:
access-list 1 permit 10.10.10.0 0.0.0.63 (permits 0 through 63)
access-list 1 permit 10.10.10.64 0.0.0.31 (permits 64 through 95)
access-list 1 permit 10.10.10.96 0.0.0.3 (permits 96 through 99)
access-list 1 permit 10.10.10.100 0.0.0.0 (permits 100)
access-list 1 deny 10.10.10.0 0.0.255
Or if you want an extended access list you could write it that way. The important concept is the combination of statements and masks to include the first 100 addresses.