Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

How to define a part of subnet in ACL?

Is it possible to define only this range of hosts: 192.168.80.200-254 /24 in standard ACL without entering each host per line?

Thank you.

ip access-list standard PAT

permit 192.168.80.200

permit 192.168.80.201

.

.

permit 192.168.80.254

Any other ways?

6 REPLIES

Re: How to define a part of subnet in ACL?

Yes there is. Here's a link that provides a good explaination.

http://www.rhyshaden.com/ipadd.htm

Also checkout Solarwinds Advanced Subnet Calculator. It will do all the hardwork for you.

Hope that helps.

New Member

Re: How to define a part of subnet in ACL?

Please try this

permit 192.168.80.0 0.0.0.55

let me know whether it works

PS:Make sure users already informed for interruptions

Regards

New Member

Re: How to define a part of subnet in ACL?

Hello,

Actually I did on purpose for 55 Part

I was just wanted him to try this

In this case I put 1 for the bits that he does not use so it makes 55.Actually I never have a chance to do this but it makes sense to me.I will try if he does not in the future

New Member

Re: How to define a part of subnet in ACL?

ergonullu,

Keep in mind how ACL's work (its binary). So, 55 in binary is 01100111. Effectively, the wildcard you typed would mean that in the fourth octet the host address must have 0's in the same positions as 01100111. As you can see, a 4th octet of 00000001 matches that wildcard, but this is address .1, which is not what he is trying to do.

Also, it wont work. The wildcard mask must be a multiple of two minus 1 (for example wildcard = .1, .3, .7, .15, .31 ... ,.127 etc)

New Member

Re: How to define a part of subnet in ACL?

Hello SludnevTN,

Sure there a lot of other ways.

ergonullu posted one of them but he missed one letter. For example if you

want to allow a complete network to get access to an ACL you can use

permit 192.168.80.0 0.0.0.255

With that rule it means 192.168.80.0/24

afaik. For more details check the IOS Menual. Just an other Information.

R1(config)#access-list ?

<1-99> IP standard access list

<100-199> IP extended access list

Access Lists with numbers between 1-99 are more or less limited with features.

When you want to filter by protocols like TCP/UDP or Source/Destination IP address then extended access list are what you need. Maybe you should know it.

R1(config)#access-list 105 permit ?

<0-255> An IP protocol number

ahp Authentication Header Protocol

esp Encapsulation Security Payload

gre Cisco's GRE tunneling

icmp Internet Control Message Protocol

igmp Internet Gateway Message Protocol

ip Any Internet Protocol

ipinip IP in IP tunneling

nos KA9Q NOS compatible IP over IP tunneling

pcp Payload Compression Protocol

tcp Transmission Control Protocol

udp User Datagram Protocol

R1(config)#access-list 105 permit

I hope this help.

New Member

Re: How to define a part of subnet in ACL?

Yup...but be careful how you post your questions. I think the /24 confused a lot of people above, they thought you wanted to block the entire /24 instead of the specific hosts. Anyway...

ip access-list standard PAT

deny 192.168.80.192 0.0.0.7

permit 192.168.80.192 0.0.0.63

This was an easy example, but the idea is you must find ways to break them down on boundaries of the multiples of two.

Hope this helps,

Ryan

265
Views
0
Helpful
6
Replies
CreatePlease to create content