Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

access lists

I there a way to combine hosts in an access list. I have a block of hosts/source ip's but they are not consecutive numbers. i may have 1.2.3.4/5/6/7 then i will skip 8/9/10 have 11 then skip 12. this is tough when doing access lists. or do i have to do a separate line for each host?

2 REPLIES

Re: access lists

One line per host is the easiest way. You can only group multiple hosts when the adress-range ranges an x-fold of two. (or when you accept the overlapping)

In the example above, you could group 1.2.3.4/5/6/7 in one line as follows:

access-list 1 permit 1.2.3.4 0.0.0.3

3 equals 2 + 1, so the last two bits of the IP are wildcard bits. In this way the line above matches 04 (0000.0100) up to 07 (0000.0111) as last digit.

The first 30 bits have TO MATCH EXACTLY.

New Member

Re: access lists

It depends how cunning and devious you are....

This is your big lesson in numbering a network with foresight. The best way is to renumber the hosts but that may be easier said than done, but if I was backed into a corner using your example, then I would do this...

access-list 1 remark Blocked Hosts as per example

access-list 1 deny 1.2.3.4 0.0.0.3

access-list 1 deny host 1.2.3.11

access-list 1 pemit any

What I have done here, is looked at the binary number of the last octet of coresponding numbers

4 = 0000 0100

5 = 0000 0101

6 = 0000 0110

7 = 0000 0111

as the first 6 bits are common with those numbers (and everything else that I'm letting through), I going to let them through, but I'm going to mask off the last two bits

0000 0011 = 3

That's how I came up with 1.2.3.4 0.0.0.3 in the first ACE

As 1.2.3.11 is all by itself, it had to have it's own entry.

Have a look at

http://www.cisco.com/warp/public/105/ACLsamples.html

http://www.cisco.com/warp/public/707/confaccesslists.html

110
Views
0
Helpful
2
Replies
CreatePlease to create content