Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Acess-list

I have to block 10.8.19.150 to 10.8.19.250 for internet, what mask should i use.

9 REPLIES
Hall of Fame Super Silver

Re: Acess-list

Arun

trying to block the range of hosts from 150 to 250 is not a simple task and requires a combination of statements with different masks to include that specific range. It works out like this:

deny 10.8.19.150 0.0.0.1

deny 10.8.19.152 0.0.0.7

deny 10.8.19.160 0.0.0.31

deny 10.8.19.192 0.0.0.31

deny 10.8.19.224 0.0.0.15

deny 10.8.19.240 0.0.0.7

deny 10.8.19.248 0.0.0.1

deny 10.8.19.250 0.0.0.0

This will cover exactly the range from 150 to 250.

HTH

Rick

Cisco Employee

Re: Acess-list

Rick,

I'm glad we used the same maths. It would have been pretty embarassing otherwise ;-)

Cheers,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Hall of Fame Super Silver

Re: Acess-list

Indeed it would have ;)

Cheers

New Member

Re: Acess-list

Thanks for replying.

Cisco Employee

Re: Acess-list

Arun,

If you only want to deny access to hosts between 10.8.19.150 to 250 inclusively and nothing else then this cannot be done with one statement, you could use something like this:

access-list 1 deny 10.8.19.150 0.0.0.1

access-list 1 deny 10.8.19.152 0.0.0.7

access-list 1 deny 10.8.19.160 0.0.0.31

access-list 1 deny 10.8.19.192 0.0.0.31

access-list 1 deny 10.8.19.224 0.0.0.15

access-list 1 deny 10.8.19.240 0.0.0.7

access-list 1 deny 10.8.19.248 0.0.0.1

access-list 1 deny 10.8.19.250 0.0.0.0

access-list 1 permit any

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: Acess-list

dear sir...why cant we use the mask deny 10.8.19.150 0.0.0.100 so tht all hosts from 10.8.19.150 tupto 10.2.19.250 get blocked..??

Cisco Employee

Re: Acess-list

The 0.0.0.100 doesn't mean the next 100 hosts.

Access-lists use a reverse bit mask (wildcard mask) to determine the address range. A reverse bit mask is a binary mask where one values mean "do not care".

So for instance, 10.8.19.0 0.0.0.255 represents the range 10.8.19.0 to 10.8.19.255 as we do not care what is the value of the last octect.

10.8.19.150 0.0.0.1 represente range 10.8.19.150 to 10.8.19.151 as we do not care about the last bit in this example.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Hall of Fame Super Silver

Re: Acess-list

Your question implies that the mask is a count of how many addresses to apply to. But that is not how the mask works. In access list masks the numbers given are converted into binary and each digit where there is a binary zero is a bit that must match in the address. So the mask of 0.0.0.100 would not match from 150 to 250.

HTH

Rick

Re: Acess-list

Jai,

Have a look at this ACL wild card mask tutorial and see if it makes sense.

http://www.2000trainers.com/cisco-ccna-09/ccna-access-list-wildcard-mask/

After reading this if you still have any further questions just give us a shout.

HTH

Sundar

152
Views
15
Helpful
9
Replies