Information Technology Reference
In-Depth Information
This denies the prefix 172.16.0.0/24 only (not a range):
access-list 100 deny ip host 172.16.0.0 host 255.255.0.0
This permits 172.16.0.0 255.255.0.0 (the entire class B range):
access-list 100 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.255.255
This denies any updates with lengths of 25 bits or longer:
access-list 100 deny ip any 255.255.255.128 0.0.0.127
Besides numbered ACLs, named extended IP ACLs can also be used for this purpose.
The range can also be specified by the less-than-or-equal-to (
le
) attribute, which goes from
the length value specified by prefix/length to the
le
value, inclusive. Example 4-6 shows an
example of matching the entire range of 172.16.0.0/16—that is, 172.16.0.0 255.255.0.0
using the regular mask or 172.16.0.0 0.0.255.255 using the inverted mask. If you want to
specify a range that does not start from the length, you must specify another keyword,
ge
,
as discussed next.
Matching the Entire Class B Range of 172.16.0.0/16
Example 4-6
ip prefix-list range-2 permit 172.16.0.0/16 le 32
Example 4-7 shows another example. Both the prefix list and the ACL versions are shown.
Matching 172.16.0.0 255.255.224.0
Example 4-7
ip prefix-list range-3 permit 172.16.0.0/19 le 32
!
access-list 100 permit ip 172.16.0.0 0.0.31.255 255.255.224.0 0.0.31.255
When both
ge
and
le
attributes are specified, the range goes from the
ge
value to the
le
value. A specified
ge
value and/or
le
value must satisfy the following condition:
length < ge value <= le value <= 32
The expanded prefix list format follows. Note that the
ge
attribute must be specified before
the
le
value:
ip prefix-list name [seq #] deny | permit prefix/length [ge value] [le value]
Example 4-8 shows an example of using both
ge
and
le
attributes to match a portion of
172.16.1.0/24. The ACL version is also included.
