I just want to confirm there isn't an easier way to do this. I am attempting to lock down a Vibe 3.3 zone so it is only available from two internal subnets plus 1 specific IP. This zone doesn't have an external DNS entry and there is no proxy or other front end to the Vibe server. I create a role condition, added it to the defined roles, and re-indexed.

My conditions:
allow 10.228.14.*
allow 10.228.15.*
allow 10.228.29.43
deny *.*.*.*

And I get blocked from the .14 and .15 subnets as well. The *.*.*.* seems to block everything and not allow exceptions.

If I do this, though, it seems to do what I want:
allow 10.228.14.*
allow 10.228.15.*
allow 10.228.29.43
deny 10.228.29.*

BUT, following that pattern, I would have to have 253 deny statements, for 10.228.1.* to 10.228.255.* and then it looks like just the 3 exceptions would work.

Is there an easier way with a global deny? If I do break down and enter in all those denies, am I going to hit a limit or cause a performance impact? Ideas?

Thanks,

Todd B.