Re: Access List question

Scott McClure, CCNP, CCDA, MCNE Wed, 13 Dec 2000 11:42:47 -0800
Andy and Edward are both correct.  It is much easier if you were trying to
block address that fall on specific subnet blocks.  To specifically block
your range 192.168.100.100 - 192.168.100.254 you would need:

The basic concept of access list wildcard masks is that any 0 in the mask
means the address bit has to match, and any 1 in the mask means you don't
care.

access-list 1 permit 192.168.100.255 0.0.0.0   <--- allow broadcast
access-list 1 deny 192.168.100.128 0.0.0.127 <--- deny hosts 128 through 254
access list 1 deny 192.168.100.112 0.0.0.15  <--- deny hosts 112 - 127
access-list 1 deny 192.168.100.104 0.0.0.7  <--- deny hosts 104 - 111
access-list 1 deny 192.168.100.100 0.0.0.3  <--- deny hosts 100 - 104
access-list 1 permit any any  <--- allow everything else

So in binary terms, the deny statements look like this:

     192 . 168 . 100 . 128
      Address 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 1 1 0 0 1 0 0 . 1 0 0 0
0 0 0 0
      Wildcard 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 1 1 1
1 1 1 1
     0 . 0 . 0 . 127


     192 . 168 . 100 . 112
      Address 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 1 1 0 0 1 0 0 . 0 1 1 1
0 0 0 0
      Wildcard 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0
1 1 1 1
     0 . 0 . 0 . 15

     192 . 168 . 100 . 104
      Address 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 1 1 0 0 1 0 0 . 0 1 1 0
1 0 0 0
      Wildcard 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0
0 1 1 1
     0 . 0 . 0 . 7


     192 . 168 . 100 . 100
      Address 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 1 1 0 0 1 0 0 . 0 1 1 0
0 1 0 0
      Wildcard 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0
0 0 1 1
     0 . 0 . 0 . 3



Then you apply the access list to the interface like so..

interface Ethernet0
  access-group 1  <--- apply access-list 1 (outbound by default)


Hope this helps...

Scott McClure, CCNP, CCDA, MCNE
--

When I disagree with a rational man, I let reality be our final arbiter; If
I am right, he will learn, If I am wrong, I will; one of us will win, but
both of us will profit.
                                                 - John Galt



""Joseph H Marti"" <[EMAIL PROTECTED]> wrote in message
918b5e$7qs$[EMAIL PROTECTED]">news:918b5e$7qs$[EMAIL PROTECTED]...
> Caslow's book Cisco Certification ISBN 0-13-082537-9 pp877-679 contains an
> acces-list algorithmn -- can be improved. Following may work for your
> example to block 192.168.100.100 - 192.168.100.254
>
> permit 192.168.100.255   0.0.0.0  -- broadcast
> deny 192.168.100.96        0.0.0.31 -- 96->127
> deny 192.168.100.128.127 0.0.0.127 -- 129->255
> permit any -- all other
>
> "Andy Walden" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> >
> > You can do it based on subnet. If you could narrow down the largest
legal
> > subnet in the block of ips you wanted to deny then block the left over
> > ones with a smaller subnet or individuals. Good planning and design says
> > things like this should fall on subnet lines.
> >
> > andy
> >
> > On Wed, 13 Dec 2000, Edward Gomez wrote:
> >
> > > Hi all,
> > >
> > > I was just wondering is there a way to specify a range of ip addresses
> in an
> > > access list. Say for instance that I am using an RFC1700 address
> > > 192.168.100.0/24 and I want to block ip addresses 192.168.100.100 -
> > > 192.168.100.254 from going out to 0.0.0.0 do I have to manually do 154
> > > seperate entries in the access list?
> > >
> > > Thanks in advance!
> > >
> > > Eddie
> > >
> > > ----------
> > > Edward J. Gomez, MCSE, CNE, CCNA
> > > Information Systems Manager
> > > ProxyMed, Inc
> > > 2555 Davie Road,
> > > Suite 110
> > > Fort Lauderdale, Florida 33317
> > > (954) 473-1001 x315
> > > http://www.proxymed.com
> > >
> > > _________________________________
> > > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > >
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List question

Reply via email to
