How to define a part of subnet in ACL?

Unanswered Question
Apr 8th, 2009

Is it possible to define only this range of hosts: 192.168.80.200-254 /24 in standard ACL without entering each host per line?

Thank you.


ip access-list standard PAT

permit 192.168.80.200

permit 192.168.80.201

.

.

permit 192.168.80.254


Any other ways?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Paolo Bevilacqua Wed, 04/08/2009 - 06:34

No. You're limited to specify a wildcard mask, to the extent your range is falling on bit boundaries. e.g 0.0.0.1 for x.x.x.200-201

Edison Ortiz Wed, 04/08/2009 - 06:40

You can accomplish the task with 3 lines:


ip access-list standard PAT

permit 192.168.80.200 7.255.255.255

permit 192.168.80.208 15.255.255.255

permit 192.168.80.224 31.255.255.255


HTH,


___


Edison.


Jon Marshall Wed, 04/08/2009 - 06:44

Edison


Shouldn't that be -


ip access-list standard PAT

permit 192.168.80.200 .0.0.0.7

permit 192.168.80.208 0.0.0.15

permit 192.168.80.224 0.0.0.31


Jon

Edison Ortiz Wed, 04/08/2009 - 06:48

Jon,


Yes, posting while on the phone isn't something I recommend :)


__


Edison.

Paolo Bevilacqua Wed, 04/08/2009 - 06:57

You're taking it the wrong way Edison (and I do not mean the wildcard mask).


You've just been talking while posting, not viceversa.


With a little practice, you will learn how to screw up both things at the same time. One only, is for beginners.


Edison Ortiz Wed, 04/08/2009 - 07:00

Paolo,


I actually did.


While posting, I was asked a question and I was dumbfounded :(



SludnevTN_2 Wed, 04/08/2009 - 06:56

Thank you.

How do you do this so quickly? I understand a logic, but... did you use some tools? IP calc?

lamav Wed, 04/08/2009 - 06:57

PLEASE DO NOT POST THE SAME QUESTION ON TWO DIFFERENT THREADS.

lamav Wed, 04/08/2009 - 07:01

Whats un-called for. Asking him not to post the same question on 2 threads?


Or using CAPS?


The CAPS is just an attention-getter. Were I yelling at him, I would have used "!" OK!!!!!!??????? :-D

Edison Ortiz Wed, 04/08/2009 - 07:02

Tim,


It comes with experience.


I haven't used any IP Calculator for a LONG time.


__


Edison.

lamav Wed, 04/08/2009 - 07:46

Здравствуйте!


You really should read about this because it gets complicated and requires a lot of explaining.


I'll try....


The best way to handle this, especially for you so that you can see exactly what is going on, is to convert the addresses and the ranges to binary.


192.168.80.200 - 207


Lets focus on the last octet range of 200 to 207.


200 base 10 in binary is 11001000

201 base 10 in binary is 11001001

202 base 10 in binary is 11001010

203 base 10 in binary is 11001011

204 base 10 in binary is 11001100

205 base 10 in binary is 11001101

206 base 10 in binary is 11001110

207 base 10 in binary is 11001111


Notice the common bits that never change within that range. They are 11001. The first 5 bits do not change. The ones that do change are the last 3 bits: 000 through 111, and all combinations in between.


Now, 3 bits in binary offers you 8 combinations (as I have just shown), so you can have 8 additional host addresses "added" to the base of 11001 (200).


Do you see that? Stop here and think about it if you dont.


In access lists we use what are called wildcard masks. When converted into binary, a "0" means the match has to be exact. A "1" means that it can vary.


So, if I have an ACL that permits a subnet address and mask of 192.168.80.0 0.0.0.255, it means that, when I convert the mask to binary, I get 00000000.00000000.00000000.11111111. Given that the first 3 octets are represented with "0"s, the first 3 octets must match. However, the 4th octet can be anything. No match. So, all hosts between 192.168.80.0 through 192.168.80.255 will be permitted.


In your case, you want to start matching at 192.168.80.200 and end at 192.168.80.207. This is for the first range of addresses. These are the hosts that will be permitted according to the ACL.


The subnet and mask will be 192.168.80.200 0.0.0.7. The first three octets of the mask (0.0.0) means that the address has to match (192.168.80), and the last octet in the mask of "7" means that the last 3 bits (111), which is 7 (in base 10 - decimal), can vary, from 200 to 207.


I hope this has helped you. As a Russian, you should be laughing at this baby math. :-)


Victor



Actions

This Discussion