04-08-2009 06:21 AM - edited 03-06-2019 05:04 AM
Is it possible to define only this range of hosts: 192.168.80.200-254 /24 in standard ACL without entering each host per line?
Thank you.
ip access-list standard PAT
permit 192.168.80.200
permit 192.168.80.201
.
.
permit 192.168.80.254
Any other ways?
04-08-2009 08:15 AM
Yes there is. Here's a link that provides a good explaination.
http://www.rhyshaden.com/ipadd.htm
Also checkout Solarwinds Advanced Subnet Calculator. It will do all the hardwork for you.
Hope that helps.
04-10-2009 12:38 AM
Please try this
permit 192.168.80.0 0.0.0.55
let me know whether it works
PS:Make sure users already informed for interruptions
Regards
04-13-2009 10:39 PM
Hello,
Actually I did on purpose for 55 Part
I was just wanted him to try this
In this case I put 1 for the bits that he does not use so it makes 55.Actually I never have a chance to do this but it makes sense to me.I will try if he does not in the future
04-13-2009 10:47 PM
ergonullu,
Keep in mind how ACL's work (its binary). So, 55 in binary is 01100111. Effectively, the wildcard you typed would mean that in the fourth octet the host address must have 0's in the same positions as 01100111. As you can see, a 4th octet of 00000001 matches that wildcard, but this is address .1, which is not what he is trying to do.
Also, it wont work. The wildcard mask must be a multiple of two minus 1 (for example wildcard = .1, .3, .7, .15, .31 ... ,.127 etc)
04-10-2009 06:24 PM
Hello SludnevTN,
Sure there a lot of other ways.
ergonullu posted one of them but he missed one letter. For example if you
want to allow a complete network to get access to an ACL you can use
permit 192.168.80.0 0.0.0.255
With that rule it means 192.168.80.0/24
afaik. For more details check the IOS Menual. Just an other Information.
R1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
Access Lists with numbers between 1-99 are more or less limited with features.
When you want to filter by protocols like TCP/UDP or Source/Destination IP address then extended access list are what you need. Maybe you should know it.
R1(config)#access-list 105 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
pcp Payload Compression Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
R1(config)#access-list 105 permit
I hope this help.
04-12-2009 03:39 AM
Yup...but be careful how you post your questions. I think the /24 confused a lot of people above, they thought you wanted to block the entire /24 instead of the specific hosts. Anyway...
ip access-list standard PAT
deny 192.168.80.192 0.0.0.7
permit 192.168.80.192 0.0.0.63
This was an easy example, but the idea is you must find ways to break them down on boundaries of the multiples of two.
Hope this helps,
Ryan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: