Router ACL inverse mask

[gigabyte1024]

I want to deny 10.17.0.x from accessing any other network besides 10.17.0.x ona Cisco Router.

I would guess that I need a two line ACL, one to deny evertying 10.16.0.0 and lower and one to deny 10.18.0.0 and higher. I just can figure out how to calulate it.

access-list 100 deny 10.17.0.0 255.255.255.0 10.0.0.0 0.??.0.255
access-list 100 deny 10.17.0.0 255.255.255.0 10.0.0.0 0.??.0.255

Any help?

 

[Sickness]

if im not mistaken all you need to do is allow your network.. at the end of an acl is an implicit deny all

access-list 100 permit 10.17.0.0 0.0.0.255 10.17.0.0 0.0.0.255

 

[gigabyte1024]

I guess that woudl be one of those "Duh!" moments.

Thanks!

 

[Boscoh]

I'm confused here....

A router isn't going to pass 10.17.0.x through to another interface if the destination is 10.17.0.x. Unless you're subnetting this class C network into smaller subnets, and the destination is on another subnet.

If this is one class C subnet, a router would see this and assume the traffic is destined for the local network behind the interface receiving the traffic, and would drop the packet. (EDIT) Unless you're bridging...

 

[Sickness]

yeah he could have that class C subnetted and on different segments. If he only wants that huge subnet to talk to each other he can allow that traffic to pass through.

 

[Boscoh]

Yeah....just making sure he knows this....

 

[gigabyte1024]

actually this was for a nonat ACL, I'm new to making ACLs and got a little carried away.

thanks for the input.