ACl on a range of IP addresses

I want to include only a range of IP address to to my ACL. Is there a tutorial on how to do this? Thanks
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You forgot the mentions which router you are configuring right now.
leblancAccountingAuthor Commented:
Sorry. I am using a Cisco Catalyst 6509 switch
I can only do this with 3 lists sadly, and also not in your range. Either expand it slightly (start or make the list shorter (start with 10.10.112, and don't use the 3rd list)
The access list has to be changed (maybe you wanted to use deny etc etc)

access-list 101 permit ip

// - 254

access-list 102 permit ip

// - 127

access-list 103 permit ip

// - 111
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

leblancAccountingAuthor Commented:
How did you come up with the wild card? Are there some bits patterns you need to play around with? Thx
Because Cisco's ACL are based on subnet and not on strings (like simpler routers, you fill in start and end), you have to play around with the subnet mask, which are bound to rules.
Therefore, you either know the rules from the top of your head, or you use a subnet calculator (available as an online page)
access-list 101 permit   // permit 101
access-list 101 permit  // permit 102 103
access-list 101 deny        // deny 96 - 103
access-list 101 permit   // permit 96 - 127 but previous statement blocks some addresses and since ACL is processed from top to bottom this will permit 104 - 127
access-list 101 permit // permit 128 - 254

at the end of every ACL is implicit deny all, so permited ip address range is -

subnetting tutorial - Cisco or video tutorials on YouTube
leblancAccountingAuthor Commented:
Can you remind me how you come up with the wildcard mask in Thx

Subnetting and wildcards - quick and dirty. :)
Network address IP is decimal number multiplied with  base-2 number.
Wildcard is simply  the same base-2 number -1.
12*8=96 network address
Base-2 number was 8 - wildcard is 8-1=7
96 network
97 - 102 hosts
103 - broadcast

So that's

next network  13*8=104
leblancAccountingAuthor Commented:
Thank you for the explanation. The problem that I am having now is what if I have hosts in the range between 97 and 102, They will not be allowed (see below). I am planning to apply this ACL on the WAN interface.

access-list 101 deny        // deny 96 - 103
access-list 101 permit   // permit 96 - 127 but previous statement blocks some
Than you can do it this way

access-list 101 permit   // permit 101
access-list 101 permit  // permit 102 103
access-list 101 permit   // permit 104 - 111
access-list 101 permit   // permit 112 - 127
access-list 101 permit // permit 128 - 254

the same IP range is permited - and there are no IP addresses that are denied

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hosts in the range between 97 and 102
and also there was no problem for hosts in this range, but for 6 IP addresses 96 - 100
ACL is executed from top to bottom, so first 101 - 103 were permitted, and then that part of the range is denied, it will actually never check third statement if any of first two statements had match.
If two statements are overlapping - if there is match in first statement, second statement won't be reached. When first match is found - it is the game over. If there is no matching state in ACL - at the end of acl is implicit deny any statement. So 96 -100 are denied anyway in both cases and both ACLs have exactly the same result.
leblancAccountingAuthor Commented:
I am a bit confused about the wildcard mask because I see ACL with subnet mask (see below). So isn't it easier to use subnet mask? Can I use subnet mask instead of wildcard mask?

access-list MY-ACL permit ip
That's just the way Cisco is duing that.
You can try but - 255 in this case means any address, and 0 means exactly this address.
Statement that you wrote translated to some form of English language :)
permit any ip address that ends with 0 if is forwarded to any ip address that ends with 0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.