ACl on a range of IP addresses

I want to include only a range of IP address 10.10.0.101 to 10.10.0.254 to my ACL. Is there a tutorial on how to do this? Thanks
LVL 1
leblancAccountingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerCommented:
You forgot the mentions which router you are configuring right now.
0
leblancAccountingAuthor Commented:
Sorry. I am using a Cisco Catalyst 6509 switch
0
KimputerCommented:
I can only do this with 3 lists sadly, and also not in your range. Either expand it slightly (start 10.10.0.108) or make the list shorter (start with 10.10.112, and don't use the 3rd list)
The access list has to be changed (maybe you wanted to use deny etc etc)

access-list 101 permit ip 10.10.0.128 0.0.0.127

// 10.10.0.128 - 254

access-list 102 permit ip 10.10.0.112  0.0.0.15

// 10.10.0.112 - 127

access-list 103 permit ip 10.10.0.108 0.0.0.3

// 10.10.0.108 - 111
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

leblancAccountingAuthor Commented:
How did you come up with the wild card? Are there some bits patterns you need to play around with? Thx
0
KimputerCommented:
Because Cisco's ACL are based on subnet and not on strings (like simpler routers, you fill in start and end), you have to play around with the subnet mask, which are bound to rules.
Therefore, you either know the rules from the top of your head, or you use a subnet calculator (available as an online page)
0
JustInCaseCommented:
access-list 101 permit 10.10.10.101 0.0.0.0   // permit 101
access-list 101 permit 10.10.10.102. 0.0.0.1  // permit 102 103
access-list 101 deny 10.10.10.96 0.0.0.7        // deny 96 - 103
access-list 101 permit 10.10.10.96 0.0.0.31   // permit 96 - 127 but previous statement blocks some addresses and since ACL is processed from top to bottom this will permit 104 - 127
access-list 101 permit 10.10.10.128 0.0.0.127 // permit 128 - 254

at the end of every ACL is implicit deny all, so permited ip address range is 10.10.10.101 - 10.10.10.254

subnetting tutorial - Cisco or video tutorials on YouTube
0
leblancAccountingAuthor Commented:
Can you remind me how you come up with the wildcard mask in 10.10.10.96 0.0.0.7? Thx
0
JustInCaseCommented:
2^0=1
2^1=2
2^2=4
2^3=8
2^4=16
2^5=32
2^6=64
2^7=128
2^8=256

Subnetting and wildcards - quick and dirty. :)
Network address IP is decimal number multiplied with  base-2 number.
Wildcard is simply  the same base-2 number -1.
12*8=96 network address
Base-2 number was 8 - wildcard is 8-1=7
96 network
97 - 102 hosts
103 - broadcast

So that's 10.10.10.96 0.0.0.7

next network  13*8=104
0
leblancAccountingAuthor Commented:
Thank you for the explanation. The problem that I am having now is what if I have hosts in the range between 97 and 102, They will not be allowed (see below). I am planning to apply this ACL on the WAN interface.

access-list 101 deny 10.10.10.96 0.0.0.7        // deny 96 - 103
access-list 101 permit 10.10.10.96 0.0.0.31   // permit 96 - 127 but previous statement blocks some
0
JustInCaseCommented:
Than you can do it this way

access-list 101 permit 10.10.10.101 0.0.0.0   // permit 101
access-list 101 permit 10.10.10.102. 0.0.0.1  // permit 102 103
access-list 101 permit 10.10.10.104 0.0.0.7   // permit 104 - 111
access-list 101 permit 10.10.10.112 0.0.0.15   // permit 112 - 127
access-list 101 permit 10.10.10.128 0.0.0.127 // permit 128 - 254

:)
the same IP range is permited - and there are no IP addresses that are denied
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JustInCaseCommented:
hosts in the range between 97 and 102
and also there was no problem for hosts in this range, but for 6 IP addresses 96 - 100
:)
ACL is executed from top to bottom, so first 101 - 103 were permitted, and then that part of the range is denied, it will actually never check third statement if any of first two statements had match.
If two statements are overlapping - if there is match in first statement, second statement won't be reached. When first match is found - it is the game over. If there is no matching state in ACL - at the end of acl is implicit deny any statement. So 96 -100 are denied anyway in both cases and both ACLs have exactly the same result.
0
leblancAccountingAuthor Commented:
I am a bit confused about the wildcard mask because I see ACL with subnet mask (see below). So isn't it easier to use subnet mask? Can I use subnet mask instead of wildcard mask?

access-list MY-ACL permit ip 10.10.0.0 255.255.255.0 10.10.6.0 255.255.255.0
0
JustInCaseCommented:
That's just the way Cisco is duing that.
You can try but - 255 in this case means any address, and 0 means exactly this address.
Statement that you wrote translated to some form of English language :)
permit any ip address that ends with 0 if is forwarded to any ip address that ends with 0
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.