Solved

Cisco ACL Permit Range

Posted on 2006-10-24
3
1,317 Views
Last Modified: 2008-01-09
Hi,

I want to permit all traffic to the following IP range: 10.20.16.10 - 10.20.16.13 - what entry would i add to an acl?

I have tried permit ip 10.20.16.10 *.*.*.* any but am unsure how to calculate the *.*.*.*.

Mike
0
Comment
Question by:Barnardos_2LS
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
permit ip 10.20.16.8 0.0.0.7 any

This will include hosts 10.20.16.9 - .14

You would have to exclude .9 and .14 explicitly:
deny ip host 10.20.16.9 any
deny ip host 10.20.16.14 any
permit ip 10.20.16.8 0.0.0.7 any

The mask is a wildcard mask instead of subnet mask.
Take the subnet mask that you would calculate to include the addresses that you want and subtract from 255.255.255.255
Example:
                   255.255.255.255
10.20.16.8  - 255.255.255.248
                       0 .   0.   0.   7 = wildcard mask ( or more accurately, and 'inverse' mask)


0
 
LVL 1

Author Comment

by:Barnardos_2LS
Comment Utility
Is their any way around having to exclude .9 and .14 explicitly?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
Comment Utility
No. Masks only go so far. You have to break up into maskable "chunks"
The only mask that will include 10 - 13 is 255.255.255.248
10.20.16.8 / 30 only includes .9 and .10 with .11 as broadcast
10.20.16.12 / 30 only includes .13 and .14 with .15 as broadcast
The only way to get both 10 and 13 in the same mask is to go one bit back to .29
10.20.16.8 / 29 includes .9 through .14 with .15 as broadcast
With wildcard masks you can do even/odd numbers, but that still wouldn't give you the desired results to include 10, 11, 12 and 13
Your other option is to explicitly include each of the 4 IP's and all others are blocked by the implicit deny all
 permit ip host 10.20.16.10 any
 permit ip host 10.20.16.11 any
 permit ip host 10.20.16.12 any
 permit ip host 10.20.16.13 any
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now