Access list command format (netmask)

[WANguy2k]

I'm trying to create an ACL to deny the network 148.203.0.0-148.250.255.255. Is this the correct statement?

access-list 100 deny ip 148.203.0.0 0.192.255.255 any

I'm specifically questioning the 192 in the network mask. Thanks in advance.

 

[marsd]

You might want to have a look at the rules for wilcard masking: they are what is used for acls.

So in this case the range you want to block is from
148.203.0.0 to 148.250.0.0 (not .255.255 I think):
So an acl like
access list 10 deny ip 143.208.0.0 0.42.255.255
may work: This is the correct idea in any case.

 

[WANguy2k]

By the way, just to be sure I'm on the right track:

If I want to block all addressess in 200.0.0.0 to 203.255.255.255 would this be the correct statement?

access-list 100 deny ip 200.0.0.0 3.255.255.255 any

Thanks again in advance...

 

[Saeed42]

This site might help

http://www.delmar.edu/Courses/ITSC1391/Sem3/6ACLs.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[swj38]

Hi,

I don't know if this is too late you be of any use to you but I'll post it in case it is.

You're second post is correct

access-list 100 deny ip 200.0.0.0 3.255.255.255 any

Will deny between 200 and 203.

To deny the range you stated in your first post you would need:

access-list 100 deny ip 148.203.0.0 0.191.255.255 any

The 191 tells the acl to ignore all but the first two bits of the octect.

In effect you are saying start from 203 and deny anythhing that has a 1 in the first two octects, so that acl would deny 203 to 255 not 250.

Hope this helps

Steve