subnets in access lists...

It helps if you mention your platform.

In this instance we can deduce that it is likely IOS rather than PIX because PIX would use 255.0.0.0 for the netmask.

PIX would allow you to create an object group that contained the destination host addresses, and then to use a single statement to control access to them...

access-list 101 deny ip 61.0.0.0 255.0.0.0 object-group no_china_traffic_hosts

I saw a hint that relatively new IOS versions are adding in equivilent capabilities, but I haven't looked into that.

Other than that, the closest you get to "simpler" is

access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.4 0.0.0.3 access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.8 0.0.0.7 access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.16 0.0.0.3 access-list 101 deny ip 61.0.0.0 0.255.255.255 host a.b.c.20

which of course is a nuisance to maintain... if you want to remove a single host from the list, you could end up having to put in a fair number of new entries.

///////////////////////////////////////////////////////////////////

Sorry, yes an early IOS running on a Cisco3620.

So if I wanted to block all ips starting with 61 from accessing all IPs in the following range: a.b.c.64 a.b.c.95 Could I use:

access-list 101 deny ip 61.0.0.0 0.255.255.255 a.b.c.64 0.0.0.31 access-list 101 permit ip any any

Yes.

On 08.12.2005 18:52 Captain wrote

If you are dealing often with access-lists you may want to have a look at aggregate

Arnold

Thank you!

It's all making sense now!!