Access list help

Unanswered Question
Sep 30th, 2008
User Badges:

gues if i want to block two network


192.168.1.0/24 and 192.168.3.0/24


what will b ethe access list for that keeping in mind that i want to get the job done in one line (access-list staement) and can someone please tell me how you did that....thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gerald Vogt Tue, 09/30/2008 - 21:21
User Badges:
  • Bronze, 100 points or more

access-list 1 deny 192.168.1.0 0.0.2.255

Giuseppe Larosa Wed, 10/01/2008 - 01:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Khan,

you need to think at the binary of the base subnet ip address


192.168.1.0/24

192.168.3.0/24

and look for waht they have in common:

they have in common the first two bytes and the 1 bit set in the least meaning bit of the third byte

so

192.168.1.0


the wildcard mask in ACL can contain multiple transitions 0 to 1 and 1 to 0.


0.0.2.255


the third byte is in binary:


00000010 : first 6 bits are 0 must match the last bit must be 1 must match the bit that makes the difference between 1 and 3 can be set to any value


so it is:

access-list 12 deny 192.168.1.0 0.0.2.255


notice that


access-list 12 deny 192.168.1.0 0.0.3.255


is wrong because is matching

192.168.0.0/24

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24


that is not the same


Hope to help

Giuseppe



Actions

This Discussion