Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2142
Views
20
Helpful
8
Replies

Access listing 101 for dummies

bradlesliect
Level 1
Level 1

‎01-30-2007 06:18 AM - edited ‎03-03-2019 03:33 PM

Hi

access-list 107 deny ip 172.18.44.0 0.0.0.255 172.18.16.0 0.0.1.255

access-list 107 permit ip 172.18.44.0 0.0.0.255 172.20.96.0 0.0.3.255

I see this access list on a router. Which networks and how many networks does 172.18.44.0 have access to?

Labels:
0 Helpful
8 Replies 8

lgijssel
Level 9
Level 9

‎01-30-2007 06:27 AM

Your acl can be shortened to one line:

access-list 107 permit ip 172.18.44.0 0.0.0.255 172.20.96.0 0.0.3.255

This will allow access to the ip adres range from 172.20.96.0 to 172.20.99.255

All else is implictly denied and hence the first line has no use.

Regards,

Leo

bradlesliect
Level 1
Level 1
In response to lgijssel

‎01-30-2007 06:47 AM

ok .... so if I need to allow access from 172.18.44.0 to 172.20.160.192-255 would the access list look something like this

access-list 107 permit ip 172.18.44.0 0.0.0.255 172.20.96.192 255.255.255.192

??

I could never get the jist of subnetting.

0 Helpful

mheusinger
Level 10
Level 10
In response to bradlesliect

‎01-30-2007 07:00 AM

Hi,

ACLs use INVERSE masks. So the correct statement would be:

access-list 107 permit ip 172.18.44.0 0.0.0.255 172.20.96.192 0.0.0.63

Regards, Martin

0 Helpful

bradlesliect
Level 1
Level 1
In response to mheusinger

‎01-30-2007 10:31 AM

I need to allow access to hosts on 172.20.164.192-255

Wold the access list look something like this:

access-list 107 permit ip 172.18.44.0 0.0.0.255 172.20.164.192 0.0.0.63

0 Helpful

mheusinger
Level 10
Level 10
In response to bradlesliect

‎01-30-2007 11:57 PM

Perfect!

This would be the correct ACL line to achieve your goal. Just make sure the ACL is applied in the right direction (in or out) keeping in mind that the first part describes source IPs and the second part describes destination IPs in the IP packets.

Regards, Martin

0 Helpful

Amit Singh
Cisco Employee
Cisco Employee

‎01-30-2007 06:29 AM

Here is the host range address that has access to 172.18.44.0 as per the ACL above.

172.20.96.1 - 172.20.99.254 and it can have maxi mum 64 networks.

Please use the IP subnet calculator to calculate the same.

http://www.subnet-calculator.com/subnet.php?net_class=B

HTH,

-amit singh

mheusinger
Level 10
Level 10

‎01-30-2007 06:33 AM

Hello,

Every ACL has an implicit deny any any invisible as last statement. So if this is the full ACL then 172.18.44.0/24 can access any destination IP from 172.20.96.0 to 172.20.99.255 inclusive.

Be aware, that ACLs are used for different purposes (like for NAT). So depending on how it is used, connectivity might be restricted to the addresses above or not restricted at all.

To judge the real impact we would need a configuration excerpt with all references to this ACL.

[edit]: the number of networks and which networks can not be concluded from the ACL. This will depend on your IP environment and which subnetting is in use. This way you could have access to one network 172.20.96.0/22 or to 4 networks 172.20.96.0/24, 172.20.97.0/24, 172.20.98.0/24, 172.20.99.0/24 or to 255 networks with mask /30 or combinations thereof.

Regards, Martin

hardiklodhia
Level 1
Level 1

‎01-30-2007 06:33 AM

hi,

this networks...

172.20.96.0

172.20.97.0

172.20.98.0

172.20.99.0

How..

96=00000110 in binary

now wildcard bits is 3 means first and second bit should be ignored..

so possibilities..

00 000110=96

10 000110=97

01 000110=98

11 000110=99

hope this will help.

rgrds,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card