Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
5
Helpful
1
Replies

Please help with this access-list / inverse mask exercise

Go to solution
news2010a
Level 3
Level 3

‎03-07-2007 09:39 PM - edited ‎03-05-2019 02:46 PM

You want to deny access to all hosts that lie within the range 192.168.160.0/24-192.168.191.0/24.

Hosts in the 192.168.195.0/24 should be granted full access.

If I need to write this access-list, can you help me determine the inverse subnet mask for this? I am terrible at this type of exercise!

I would do

access-list 10 deny 192.168.?.? 0.0.?.255

But I can't figure out the rationale behind how

to include .160.0 and 191.0 but exclude

.195.0.

I wrote the following 3rd and 4th octet in binary:

.160.0 = 10100000.0000000

.191.0 = 10111111.0000000

Then the mask /24 at 3rd and 4th octet:

= 11111111.0000000

I know that "1" is don't care. "0" is match exactly.

How can I proceed from here?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dgahm
Level 8
Level 8

‎03-07-2007 10:02 PM

Marlon,

You have done the hard part with this:

.160.0 = 10100000.0000000

.191.0 = 10111111.0000000

Note that both bit patterns match as far as the 160 (101), and if the rest of the bits in the 3rd octet are ones you have 191 which is the top of your range. So if your mask is all 1s(don't care) from that point you would match 192.168.160.0 through 192.168.191.255.

access-list 10 deny 192.168.160.0 0.0.31.255

Note that adding the inverse mask to the address will show you the upper address in the range:

192.168.160.000

000.000.031.255

---------------

192.168.191.255

This is a quick double check on your mask.

Please rate helpful posts.

Dave

View solution in original post

1 Reply 1

Go to solution
dgahm
Level 8
Level 8

‎03-07-2007 10:02 PM

Marlon,

You have done the hard part with this:

.160.0 = 10100000.0000000

.191.0 = 10111111.0000000

Note that both bit patterns match as far as the 160 (101), and if the rest of the bits in the 3rd octet are ones you have 191 which is the top of your range. So if your mask is all 1s(don't care) from that point you would match 192.168.160.0 through 192.168.191.255.

access-list 10 deny 192.168.160.0 0.0.31.255

Note that adding the inverse mask to the address will show you the upper address in the range:

192.168.160.000

000.000.031.255

---------------

192.168.191.255

This is a quick double check on your mask.

Please rate helpful posts.

Dave

Customers Also Viewed These Support Documents