Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
221
Views
0
Helpful
2
Replies

Question about access-list and ip addressing

Go to solution
gilson_machado
Level 1
Level 1

‎12-04-2003 08:59 AM - edited ‎03-02-2019 12:08 PM

I have an access list (101) with a gap in a IP address range:

access-list 101 permit ip 167.22.149.32 0.0.0.15 10.228.0.0 0.0.255.255

access-list 101 permit ip 167.22.149.64 0.0.0.15 10.228.0.0 0.0.255.255

I want to have the ip address range contiguous from .149.32 to .149.85. Is that correct if I apply the following access-list, replacing the old one?

access-list 101 permit ip 167.22.149.32 0.0.0.53 10.228.0.0 0.0.255.255

OR...

Do I have to prepare the access list divided by ip address blocks, like below?

access-list 101 permit ip 167.22.149.32 0.0.0.31 10.228.0.0 0.0.255.255 <== 32 - 63

access-list 101 permit ip 167.22.149.64 0.0.0.15 10.228.0.0 0.0.255.255 <== 64 - 79

access-list 101 permit ip 167.22.149.80 0.0.0.3 10.228.0.0 0.0.255.255 <== 80 - 83

access-list 101 permit ip 167.22.149.84 0.0.0.1 10.228.0.0 0.0.255.255 <== 84 - 85

!

Thanks

Gilson

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
nihal.akbulut
Level 1
Level 1

‎12-04-2003 10:22 AM

Hi,

subnet masks are; 1 for all network bits, 0 for all host bits. and wildcards are the values that completes mask value to 255. for example if you have mask 255.255.255.240 (it makes 14 ip host for each subnet) your wildcard will be 0.0.0.15. or if you have subnet mask 255.255.255.224 (it makes 30 ip host for each subnet) your wildcard will be 0.0.0.31.

the range you wanted is 32-63,64-85. so your access-list already covers the address range you want. first line is from 149.32 to 149.63, second line is from 149.64 to 149.85.

or maybe I misunderstood what you want..

hope this helps..

View solution in original post

0 Helpful

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee

‎12-04-2003 10:33 AM

You first option won't give you the expected results. The 0.0.0.53 mask is not simply added to the network address 167.22.149.32 but rather used as a mask to indicate what bit to do or don't care about.

The binary mask would look something like this:

0000 0000.0000 0000.0000 0000.0011 0101

where 0 means care and one don't care (wildcard).

If you apply that combinason as such: you would get the following address permitted:

167.22.149.0-1,4-5,16-17,20-21,32-33,36-37,48-49,53-53

As you can see, not quite what you expected.

Your second option is the way to go.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

0 Helpful
2 Replies 2

Go to solution
nihal.akbulut
Level 1
Level 1

‎12-04-2003 10:22 AM

Hi,

subnet masks are; 1 for all network bits, 0 for all host bits. and wildcards are the values that completes mask value to 255. for example if you have mask 255.255.255.240 (it makes 14 ip host for each subnet) your wildcard will be 0.0.0.15. or if you have subnet mask 255.255.255.224 (it makes 30 ip host for each subnet) your wildcard will be 0.0.0.31.

the range you wanted is 32-63,64-85. so your access-list already covers the address range you want. first line is from 149.32 to 149.63, second line is from 149.64 to 149.85.

or maybe I misunderstood what you want..

hope this helps..

0 Helpful

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee

‎12-04-2003 10:33 AM

You first option won't give you the expected results. The 0.0.0.53 mask is not simply added to the network address 167.22.149.32 but rather used as a mask to indicate what bit to do or don't care about.

The binary mask would look something like this:

0000 0000.0000 0000.0000 0000.0011 0101

where 0 means care and one don't care (wildcard).

If you apply that combinason as such: you would get the following address permitted:

167.22.149.0-1,4-5,16-17,20-21,32-33,36-37,48-49,53-53

As you can see, not quite what you expected.

Your second option is the way to go.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Customers Also Viewed These Support Documents