How to define a part of subnet in ACL?

Unanswered Question
Apr 8th, 2009

Is it possible to define only this range of hosts: /24 in standard ACL without entering each host per line?

Thank you.

ip access-list standard PAT






Any other ways?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paolo Bevilacqua Wed, 04/08/2009 - 06:34

No. You're limited to specify a wildcard mask, to the extent your range is falling on bit boundaries. e.g for x.x.x.200-201

Edison Ortiz Wed, 04/08/2009 - 06:40

You can accomplish the task with 3 lines:

ip access-list standard PAT







Jon Marshall Wed, 04/08/2009 - 06:44


Shouldn't that be -

ip access-list standard PAT

permit .




Edison Ortiz Wed, 04/08/2009 - 06:48


Yes, posting while on the phone isn't something I recommend :)



Paolo Bevilacqua Wed, 04/08/2009 - 06:57

You're taking it the wrong way Edison (and I do not mean the wildcard mask).

You've just been talking while posting, not viceversa.

With a little practice, you will learn how to screw up both things at the same time. One only, is for beginners.

Edison Ortiz Wed, 04/08/2009 - 07:00


I actually did.

While posting, I was asked a question and I was dumbfounded :(

SludnevTN_2 Wed, 04/08/2009 - 06:56

Thank you.

How do you do this so quickly? I understand a logic, but... did you use some tools? IP calc?

lamav Wed, 04/08/2009 - 06:57


lamav Wed, 04/08/2009 - 07:01

Whats un-called for. Asking him not to post the same question on 2 threads?

Or using CAPS?

The CAPS is just an attention-getter. Were I yelling at him, I would have used "!" OK!!!!!!??????? :-D

Edison Ortiz Wed, 04/08/2009 - 07:02


It comes with experience.

I haven't used any IP Calculator for a LONG time.



lamav Wed, 04/08/2009 - 07:46


You really should read about this because it gets complicated and requires a lot of explaining.

I'll try....

The best way to handle this, especially for you so that you can see exactly what is going on, is to convert the addresses and the ranges to binary. - 207

Lets focus on the last octet range of 200 to 207.

200 base 10 in binary is 11001000

201 base 10 in binary is 11001001

202 base 10 in binary is 11001010

203 base 10 in binary is 11001011

204 base 10 in binary is 11001100

205 base 10 in binary is 11001101

206 base 10 in binary is 11001110

207 base 10 in binary is 11001111

Notice the common bits that never change within that range. They are 11001. The first 5 bits do not change. The ones that do change are the last 3 bits: 000 through 111, and all combinations in between.

Now, 3 bits in binary offers you 8 combinations (as I have just shown), so you can have 8 additional host addresses "added" to the base of 11001 (200).

Do you see that? Stop here and think about it if you dont.

In access lists we use what are called wildcard masks. When converted into binary, a "0" means the match has to be exact. A "1" means that it can vary.

So, if I have an ACL that permits a subnet address and mask of, it means that, when I convert the mask to binary, I get 00000000.00000000.00000000.11111111. Given that the first 3 octets are represented with "0"s, the first 3 octets must match. However, the 4th octet can be anything. No match. So, all hosts between through will be permitted.

In your case, you want to start matching at and end at This is for the first range of addresses. These are the hosts that will be permitted according to the ACL.

The subnet and mask will be The first three octets of the mask (0.0.0) means that the address has to match (192.168.80), and the last octet in the mask of "7" means that the last 3 bits (111), which is 7 (in base 10 - decimal), can vary, from 200 to 207.

I hope this has helped you. As a Russian, you should be laughing at this baby math. :-)



This Discussion