How about using ranges of IP addresses instead of subnets in ACLs? For example, I have to block access to 66.114.175.151-178 and I can't figure out how to mask that. I guess since there's not all that many, I could do them individually, but a range would make it a bit easier and cleaner to read.
This is done by use of what cisco calls wildcard, or wildcardbits. I.e. one bit eq a match/do-care, and a zero eq dont-care fx range= 192.168.10.0 0.0.0.255 is the same as subnet 192.168.10.0 255.255.255.0
or if you what to match a specific host i many networks:
192.168.10.13 0.0.255.0 means the hosts .13 in whatevery 192.168.xxx.13 network
Oh yes, sorry about not mentioning the product. I was talking about PIX515 and I don't believe that uses the same wildcard masking as the IOS-based products do, as mentioned by Martin. However, your suggestion, Walter, is exactly what I needed, I was going to group all the individual IPs together, but this makes it even cleaner/shorter.
There used to be a C program available from Cisco (masks.c by Joel Bion) which would help you do that. For many years I had a copy but it seems to have disappeared, though I used the logic of it later[1]. Does anyone have a copy or is there a web-based version anywhere?
Alternatively you can make a table of power-of-two blocks ( is an example and I could easily provide the script that made that, or an Excel spreadsheet with a similar layout - lots of other people do that too) and just match the ones that complete the range you're interested in.
In your case that would be 151, the blocks 152-159, 160-175, 176-177 and 178.
Sam
[1] In a perl script of my own for a different purpose so it would be no use my giving you the script.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.