04-27-2007 08:26 AM - edited 03-03-2019 04:44 PM
I have to block 10.8.19.150 to 10.8.19.250 for internet, what mask should i use.
04-27-2007 09:14 AM
Arun
trying to block the range of hosts from 150 to 250 is not a simple task and requires a combination of statements with different masks to include that specific range. It works out like this:
deny 10.8.19.150 0.0.0.1
deny 10.8.19.152 0.0.0.7
deny 10.8.19.160 0.0.0.31
deny 10.8.19.192 0.0.0.31
deny 10.8.19.224 0.0.0.15
deny 10.8.19.240 0.0.0.7
deny 10.8.19.248 0.0.0.1
deny 10.8.19.250 0.0.0.0
This will cover exactly the range from 150 to 250.
HTH
Rick
04-27-2007 09:17 AM
Rick,
I'm glad we used the same maths. It would have been pretty embarassing otherwise ;-)
Cheers,
04-27-2007 09:39 AM
Indeed it would have ;)
Cheers
04-27-2007 09:49 AM
Thanks for replying.
04-27-2007 09:14 AM
Arun,
If you only want to deny access to hosts between 10.8.19.150 to 250 inclusively and nothing else then this cannot be done with one statement, you could use something like this:
access-list 1 deny 10.8.19.150 0.0.0.1
access-list 1 deny 10.8.19.152 0.0.0.7
access-list 1 deny 10.8.19.160 0.0.0.31
access-list 1 deny 10.8.19.192 0.0.0.31
access-list 1 deny 10.8.19.224 0.0.0.15
access-list 1 deny 10.8.19.240 0.0.0.7
access-list 1 deny 10.8.19.248 0.0.0.1
access-list 1 deny 10.8.19.250 0.0.0.0
access-list 1 permit any
Hope this helps,
04-27-2007 11:34 AM
dear sir...why cant we use the mask deny 10.8.19.150 0.0.0.100 so tht all hosts from 10.8.19.150 tupto 10.2.19.250 get blocked..??
04-27-2007 12:07 PM
The 0.0.0.100 doesn't mean the next 100 hosts.
Access-lists use a reverse bit mask (wildcard mask) to determine the address range. A reverse bit mask is a binary mask where one values mean "do not care".
So for instance, 10.8.19.0 0.0.0.255 represents the range 10.8.19.0 to 10.8.19.255 as we do not care what is the value of the last octect.
10.8.19.150 0.0.0.1 represente range 10.8.19.150 to 10.8.19.151 as we do not care about the last bit in this example.
Hope this helps,
04-27-2007 12:10 PM
Your question implies that the mask is a count of how many addresses to apply to. But that is not how the mask works. In access list masks the numbers given are converted into binary and each digit where there is a binary zero is a bit that must match in the address. So the mask of 0.0.0.100 would not match from 150 to 250.
HTH
Rick
04-27-2007 12:16 PM
Jai,
Have a look at this ACL wild card mask tutorial and see if it makes sense.
http://www.2000trainers.com/cisco-ccna-09/ccna-access-list-wildcard-mask/
After reading this if you still have any further questions just give us a shout.
HTH
Sundar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: