How about using ranges of IP addresses instead of subnets in ACLs? For example, I have to block access to 66.114.175.151-178 and I can't figure out how to mask that. I guess since there's not all that many, I could do them individually, but a range would make it a bit easier and cleaner to read.
Thanks, Peter.
This is done by use of what cisco calls wildcard, or wildcardbits. I.e. one bit eq a match/do-care, and a zero eq dont-care fx range= 192.168.10.0 0.0.0.255 is the same as subnet 192.168.10.0 255.255.255.0
or if you what to match a specific host i many networks:
192.168.10.13 0.0.255.0 means the hosts .13 in whatevery 192.168.xxx.13 networkgoogle more about it ...
HTH Martin
You did not mention the product or software version.
In PIX 6, you cannot use ranges in ACLs, but you can create "object groups" that can refer to the hosts together. Saves a lot of typing sometimes.
object-group network badguys network-object host 66.114.175.151 network-object 66.114.175.152 255.255.255.248 network-object 66.114.175.160 255.255.255.240 network-object 66.114.175.176 255.255.255.254 network-object host 66.114.175.178
access-list in2out deny ip any object-group badguys
I seem to recall reading that there is some grouping facility in IOS 12.4 but I was not able to find it when I looked last time (~5ish months ago.)
In article , Martin Bilgrav top-posted:
... For IOS. Other Cisco products may use different representations.
Perhaps you meant 192.168.0.13 0.0.255.0
Oh yes, sorry about not mentioning the product. I was talking about PIX515 and I don't believe that uses the same wildcard masking as the IOS-based products do, as mentioned by Martin. However, your suggestion, Walter, is exactly what I needed, I was going to group all the individual IPs together, but this makes it even cleaner/shorter.
Thanks guys!
hmm - seem to be missing a post from W.R in my newsfeed...
anyway - PIX doesnt support wildcards you could do a network-group instead, and apply this in the ACL.
Yes it does, just with the bit negated relative to IOS.
IOS: 123.45.66.0 0.0.1.255 PIX: 123.45.66.0 255.255.254.0
There used to be a C program available from Cisco (masks.c by Joel Bion) which would help you do that. For many years I had a copy but it seems to have disappeared, though I used the logic of it later[1]. Does anyone have a copy or is there a web-based version anywhere?
Alternatively you can make a table of power-of-two blocks ( is an example and I could easily provide the script that made that, or an Excel spreadsheet with a similar layout - lots of other people do that too) and just match the ones that complete the range you're interested in.
In your case that would be 151, the blocks 152-159, 160-175, 176-177 and 178.
Sam
[1] In a perl script of my own for a different purpose so it would be no use my giving you the script.Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.