How to define a part of subnet in ACL?

Unanswered Question
Apr 8th, 2009

Is it possible to define only this range of hosts: /24 in standard ACL without entering each host per line?

Thank you.

ip access-list standard PAT






Any other ways?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ergonullu Fri, 04/10/2009 - 00:38

Please try this


let me know whether it works

PS:Make sure users already informed for interruptions


ergonullu Mon, 04/13/2009 - 22:39


Actually I did on purpose for 55 Part

I was just wanted him to try this

In this case I put 1 for the bits that he does not use so it makes 55.Actually I never have a chance to do this but it makes sense to me.I will try if he does not in the future

rpfinneran Mon, 04/13/2009 - 22:47


Keep in mind how ACL's work (its binary). So, 55 in binary is 01100111. Effectively, the wildcard you typed would mean that in the fourth octet the host address must have 0's in the same positions as 01100111. As you can see, a 4th octet of 00000001 matches that wildcard, but this is address .1, which is not what he is trying to do.

Also, it wont work. The wildcard mask must be a multiple of two minus 1 (for example wildcard = .1, .3, .7, .15, .31 ... ,.127 etc)

mhnsitnet Fri, 04/10/2009 - 18:24

Hello SludnevTN,

Sure there a lot of other ways.

ergonullu posted one of them but he missed one letter. For example if you

want to allow a complete network to get access to an ACL you can use


With that rule it means

afaik. For more details check the IOS Menual. Just an other Information.

R1(config)#access-list ?

<1-99> IP standard access list

<100-199> IP extended access list

Access Lists with numbers between 1-99 are more or less limited with features.

When you want to filter by protocols like TCP/UDP or Source/Destination IP address then extended access list are what you need. Maybe you should know it.

R1(config)#access-list 105 permit ?

<0-255> An IP protocol number

ahp Authentication Header Protocol

esp Encapsulation Security Payload

gre Cisco's GRE tunneling

icmp Internet Control Message Protocol

igmp Internet Gateway Message Protocol

ip Any Internet Protocol

ipinip IP in IP tunneling

nos KA9Q NOS compatible IP over IP tunneling

pcp Payload Compression Protocol

tcp Transmission Control Protocol

udp User Datagram Protocol

R1(config)#access-list 105 permit

I hope this help.

rpfinneran Sun, 04/12/2009 - 03:39

Yup...but be careful how you post your questions. I think the /24 confused a lot of people above, they thought you wanted to block the entire /24 instead of the specific hosts. Anyway...

ip access-list standard PAT



This was an easy example, but the idea is you must find ways to break them down on boundaries of the multiples of two.

Hope this helps,



This Discussion