Access list help

Unanswered Question
Sep 30th, 2008

gues if i want to block two network


192.168.1.0/24 and 192.168.3.0/24


what will b ethe access list for that keeping in mind that i want to get the job done in one line (access-list staement) and can someone please tell me how you did that....thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Wed, 10/01/2008 - 01:06

Hello Khan,

you need to think at the binary of the base subnet ip address


192.168.1.0/24

192.168.3.0/24

and look for waht they have in common:

they have in common the first two bytes and the 1 bit set in the least meaning bit of the third byte

so

192.168.1.0


the wildcard mask in ACL can contain multiple transitions 0 to 1 and 1 to 0.


0.0.2.255


the third byte is in binary:


00000010 : first 6 bits are 0 must match the last bit must be 1 must match the bit that makes the difference between 1 and 3 can be set to any value


so it is:

access-list 12 deny 192.168.1.0 0.0.2.255


notice that


access-list 12 deny 192.168.1.0 0.0.3.255


is wrong because is matching

192.168.0.0/24

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24


that is not the same


Hope to help

Giuseppe



Actions

This Discussion