Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access listing 101 for dummies

Hi

access-list 107 deny ip 172.18.44.0 0.0.0.255 172.18.16.0 0.0.1.255

access-list 107 permit ip 172.18.44.0 0.0.0.255 172.20.96.0 0.0.3.255

I see this access list on a router. Which networks and how many networks does 172.18.44.0 have access to?

8 REPLIES

Re: Access listing 101 for dummies

Your acl can be shortened to one line:

access-list 107 permit ip 172.18.44.0 0.0.0.255 172.20.96.0 0.0.3.255

This will allow access to the ip adres range from 172.20.96.0 to 172.20.99.255

All else is implictly denied and hence the first line has no use.

Regards,

Leo

New Member

Re: Access listing 101 for dummies

ok .... so if I need to allow access from 172.18.44.0 to 172.20.160.192-255 would the access list look something like this

access-list 107 permit ip 172.18.44.0 0.0.0.255 172.20.96.192 255.255.255.192

??

I could never get the jist of subnetting.

Re: Access listing 101 for dummies

Hi,

ACLs use INVERSE masks. So the correct statement would be:

access-list 107 permit ip 172.18.44.0 0.0.0.255 172.20.96.192 0.0.0.63

Regards, Martin

New Member

Re: Access listing 101 for dummies

I need to allow access to hosts on 172.20.164.192-255

Wold the access list look something like this:

access-list 107 permit ip 172.18.44.0 0.0.0.255 172.20.164.192 0.0.0.63

Re: Access listing 101 for dummies

Perfect!

This would be the correct ACL line to achieve your goal. Just make sure the ACL is applied in the right direction (in or out) keeping in mind that the first part describes source IPs and the second part describes destination IPs in the IP packets.

Regards, Martin

Cisco Employee

Re: Access listing 101 for dummies

Here is the host range address that has access to 172.18.44.0 as per the ACL above.

172.20.96.1 - 172.20.99.254 and it can have maxi mum 64 networks.

Please use the IP subnet calculator to calculate the same.

http://www.subnet-calculator.com/subnet.php?net_class=B

HTH,

-amit singh

Re: Access listing 101 for dummies

Hello,

Every ACL has an implicit deny any any invisible as last statement. So if this is the full ACL then 172.18.44.0/24 can access any destination IP from 172.20.96.0 to 172.20.99.255 inclusive.

Be aware, that ACLs are used for different purposes (like for NAT). So depending on how it is used, connectivity might be restricted to the addresses above or not restricted at all.

To judge the real impact we would need a configuration excerpt with all references to this ACL.

[edit]: the number of networks and which networks can not be concluded from the ACL. This will depend on your IP environment and which subnetting is in use. This way you could have access to one network 172.20.96.0/22 or to 4 networks 172.20.96.0/24, 172.20.97.0/24, 172.20.98.0/24, 172.20.99.0/24 or to 255 networks with mask /30 or combinations thereof.

Regards, Martin

New Member

Re: Access listing 101 for dummies

hi,

this networks...

172.20.96.0

172.20.97.0

172.20.98.0

172.20.99.0

How..

96=00000110 in binary

now wildcard bits is 3 means first and second bit should be ignored..

so possibilities..

00 000110=96

10 000110=97

01 000110=98

11 000110=99

hope this will help.

rgrds,

1402
Views
20
Helpful
8
Replies
CreatePlease login to create content