Re: Access list help

The_guroo_2 · ‎09-30-2008

gues if i want to block two network

192.168.1.0/24 and 192.168.3.0/24

what will b ethe access list for that keeping in mind that i want to get the job done in one line (access-list staement) and can someone please tell me how you did that....thanks

Gerald Vogt · ‎09-30-2008

access-list 1 deny 192.168.1.0 0.0.2.255

Matthew Warrick · ‎09-30-2008

access-list 1 deny 192.168.1.0 0.0.3.255

edit: I type slow

Giuseppe Larosa · ‎10-01-2008

Hello Khan,

you need to think at the binary of the base subnet ip address

192.168.1.0/24

192.168.3.0/24

and look for waht they have in common:

they have in common the first two bytes and the 1 bit set in the least meaning bit of the third byte

so

192.168.1.0

the wildcard mask in ACL can contain multiple transitions 0 to 1 and 1 to 0.

0.0.2.255

the third byte is in binary:

00000010 : first 6 bits are 0 must match the last bit must be 1 must match the bit that makes the difference between 1 and 3 can be set to any value

so it is:

access-list 12 deny 192.168.1.0 0.0.2.255

notice that

access-list 12 deny 192.168.1.0 0.0.3.255

is wrong because is matching

192.168.0.0/24

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

that is not the same

Hope to help

Giuseppe