How to define a part of subnet in ACL?

SludnevTN_2 · ‎04-08-2009

Is it possible to define only this range of hosts: 192.168.80.200-254 /24 in standard ACL without entering each host per line?

Thank you.

ip access-list standard PAT

permit 192.168.80.200

permit 192.168.80.201

.

permit 192.168.80.254

Any other ways?

Collin Clark · ‎04-08-2009

Yes there is. Here's a link that provides a good explaination.

http://www.rhyshaden.com/ipadd.htm

Also checkout Solarwinds Advanced Subnet Calculator. It will do all the hardwork for you.

Hope that helps.

ergonullu · ‎04-10-2009

Please try this

permit 192.168.80.0 0.0.0.55

let me know whether it works

PS:Make sure users already informed for interruptions

Regards

ergonullu · ‎04-13-2009

Hello,

Actually I did on purpose for 55 Part

I was just wanted him to try this

In this case I put 1 for the bits that he does not use so it makes 55.Actually I never have a chance to do this but it makes sense to me.I will try if he does not in the future

rpfinneran · ‎04-13-2009

ergonullu,

Keep in mind how ACL's work (its binary). So, 55 in binary is 01100111. Effectively, the wildcard you typed would mean that in the fourth octet the host address must have 0's in the same positions as 01100111. As you can see, a 4th octet of 00000001 matches that wildcard, but this is address .1, which is not what he is trying to do.

Also, it wont work. The wildcard mask must be a multiple of two minus 1 (for example wildcard = .1, .3, .7, .15, .31 ... ,.127 etc)

mhnsitnet · ‎04-10-2009

Hello SludnevTN,

Sure there a lot of other ways.

ergonullu posted one of them but he missed one letter. For example if you

want to allow a complete network to get access to an ACL you can use

permit 192.168.80.0 0.0.0.255

With that rule it means 192.168.80.0/24

afaik. For more details check the IOS Menual. Just an other Information.

R1(config)#access-list ?

<1-99> IP standard access list

<100-199> IP extended access list

Access Lists with numbers between 1-99 are more or less limited with features.

When you want to filter by protocols like TCP/UDP or Source/Destination IP address then extended access list are what you need. Maybe you should know it.

R1(config)#access-list 105 permit ?

<0-255> An IP protocol number

ahp Authentication Header Protocol

esp Encapsulation Security Payload

gre Cisco's GRE tunneling

icmp Internet Control Message Protocol

igmp Internet Gateway Message Protocol

ip Any Internet Protocol

ipinip IP in IP tunneling

nos KA9Q NOS compatible IP over IP tunneling

pcp Payload Compression Protocol

tcp Transmission Control Protocol

udp User Datagram Protocol

R1(config)#access-list 105 permit

I hope this help.

rpfinneran · ‎04-12-2009

Yup...but be careful how you post your questions. I think the /24 confused a lot of people above, they thought you wanted to block the entire /24 instead of the specific hosts. Anyway...

ip access-list standard PAT

deny 192.168.80.192 0.0.0.7

permit 192.168.80.192 0.0.0.63

This was an easy example, but the idea is you must find ways to break them down on boundaries of the multiples of two.

Hope this helps,

Ryan