hi, I have a question regarding to ACL.

jlau2001

hi, I have a question regarding to ACL, maybe easy for you, maybe not.

I tried to build an ACL in a router.

so basically I want to permit 192.168.1.60 - 192.168.1.82

so at first I just thought access-list 102 permit ip 192.168.1.60 0.0.0.32 any should work. Thought it will block .60 to .93, and I was wrong. The ACL appeared as access-list 102 permit ip 192.168.1.32 0.0.0.32 any instead, which means 32 is the only bit include in network subnet for .60

So eventually I need to use access-list 102 permit ip 192.168.1.64 0.0.0.32 any
then access-list 102 permit ip host 192.168.1.60 any
access-list 102 permit ip host 192.168.1.61 any
access-list 102 permit ip host 192.168.1.62 any
access-list 102 permit ip host 192.168.1.63 any

right now I can't think of other solutions yet except this one.

r_durant

I'm not certain of the actual commands that will assist you, but i am certain there is an easier way than listing each ip address you want to permit...

I know you should be able to create a pool (1.60 - 1.82) and then use an access-list to permit that pool...

But, I stand corrected...

---

Or, is that just with a NAT pool?? Hmmmm...

NeonNoodle

jlau2001 wrote:

hi, I have a question regarding to ACL, maybe easy for you, maybe not.

I tried to build an ACL in a router.

so basically I want to permit 192.168.1.60 - 192.168.1.82

so at first I just thought access-list 102 permit ip 192.168.1.60 0.0.0.32 any should work. Thought it will block .60 to .93, and I was wrong. The ACL appeared as access-list 102 permit ip 192.168.1.32 0.0.0.32 any instead, which means 32 is the only bit include in network subnet for .60

So eventually I need to use access-list 102 permit ip 192.168.1.64 0.0.0.32 any
then access-list 102 permit ip host 192.168.1.60 any
access-list 102 permit ip host 192.168.1.61 any
access-list 102 permit ip host 192.168.1.62 any
access-list 102 permit ip host 192.168.1.63 any

right now I can't think of other solutions yet except this one.

access-list 102 permit ip 192.168.1.60 0.0.0.3 any
access-list 102 permit ip 192.168.1.64 0.0.0.15 any
access-list 102 permit ip 192.168.1.80 0.0.0.1 any
access-list 102 permit ip 192.168.1.82 0.0.0.0 any

if you don't mind blocking 192.168.1.83 get rid of the fourth statement and change the third one to

access-list 102 permit ip 192.168.1.80 0.0.0.3 any

jlau2001

NeonNoodle wrote:

jlau2001 wrote:

hi, I have a question regarding to ACL, maybe easy for you, maybe not.

I tried to build an ACL in a router.

so basically I want to permit 192.168.1.60 - 192.168.1.82

so at first I just thought access-list 102 permit ip 192.168.1.60 0.0.0.32 any should work. Thought it will block .60 to .93, and I was wrong. The ACL appeared as access-list 102 permit ip 192.168.1.32 0.0.0.32 any instead, which means 32 is the only bit include in network subnet for .60

So eventually I need to use access-list 102 permit ip 192.168.1.64 0.0.0.32 any
then access-list 102 permit ip host 192.168.1.60 any
access-list 102 permit ip host 192.168.1.61 any
access-list 102 permit ip host 192.168.1.62 any
access-list 102 permit ip host 192.168.1.63 any

right now I can't think of other solutions yet except this one.

access-list 102 permit ip 192.168.1.60 0.0.0.3 any
access-list 102 permit ip 192.168.1.64 0.0.0.15 any
access-list 102 permit ip 192.168.1.80 0.0.0.1 any
access-list 102 permit ip 192.168.1.82 0.0.0.0 any

if you don't mind blocking 192.168.1.83 get rid of the fourth statement and change the third one to

access-list 102 permit ip 192.168.1.80 0.0.0.3 any

This is so cool, you've consider allowing .60 to .82 in four statement.

I think I just use :
access-list 100 permit ip 192.168.1.64 0.0.0.15 any
access-list 100 permit ip 192.168.1.60 0.0.0.3 any

that should do it.

Anyway, so there any way to do this using only 1 statement ?