cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
482
Views
5
Helpful
1
Replies

Please help with this access-list / inverse mask exercise

news2010a
Level 3
Level 3

You want to deny access to all hosts that lie within the range 192.168.160.0/24-192.168.191.0/24.

Hosts in the 192.168.195.0/24 should be granted full access.

If I need to write this access-list, can you help me determine the inverse subnet mask for this? I am terrible at this type of exercise!

I would do

access-list 10 deny 192.168.?.? 0.0.?.255

But I can't figure out the rationale behind how

to include .160.0 and 191.0 but exclude

.195.0.

I wrote the following 3rd and 4th octet in binary:

.160.0 = 10100000.0000000

.191.0 = 10111111.0000000

Then the mask /24 at 3rd and 4th octet:

= 11111111.0000000

I know that "1" is don't care. "0" is match exactly.

How can I proceed from here?

1 Accepted Solution

Accepted Solutions

dgahm
Level 8
Level 8

Marlon,

You have done the hard part with this:

.160.0 = 10100000.0000000

.191.0 = 10111111.0000000

Note that both bit patterns match as far as the 160 (101), and if the rest of the bits in the 3rd octet are ones you have 191 which is the top of your range. So if your mask is all 1s(don't care) from that point you would match 192.168.160.0 through 192.168.191.255.

access-list 10 deny 192.168.160.0 0.0.31.255

Note that adding the inverse mask to the address will show you the upper address in the range:

192.168.160.000

000.000.031.255

---------------

192.168.191.255

This is a quick double check on your mask.

Please rate helpful posts.

Dave

View solution in original post

1 Reply 1

dgahm
Level 8
Level 8

Marlon,

You have done the hard part with this:

.160.0 = 10100000.0000000

.191.0 = 10111111.0000000

Note that both bit patterns match as far as the 160 (101), and if the rest of the bits in the 3rd octet are ones you have 191 which is the top of your range. So if your mask is all 1s(don't care) from that point you would match 192.168.160.0 through 192.168.191.255.

access-list 10 deny 192.168.160.0 0.0.31.255

Note that adding the inverse mask to the address will show you the upper address in the range:

192.168.160.000

000.000.031.255

---------------

192.168.191.255

This is a quick double check on your mask.

Please rate helpful posts.

Dave