ANOTHER ACL DESTINATION FILTER QUESTION

angexxxangexxx Member Posts: 2 ■□□□□□□□□□
in CCNA & CCENT
icon_sad.gif

I WANT TO PERMIT THE IP PROTOCOL FOR ALL HOSTS (.17 -> .30 ) ON A CLASS C .16 NETWORK (/28 ( THE SOURCE NETWORK ) TO GAIN ACCESS TO AN UNSUBNETTED CLASS C NETWOK (DESTINATION )BUT ONLY HOSTS .1 -> .127 SO I WILL USE WILDCARD OF .127 to allow first 128 hosts only.


IS THIS HOW YOU DO IT

# DENY IP PROTOCCOL x.x.x.16 0.0.0.13(SCR) x.x.x.128 0.0.0.127
# PERMIT IP PROTOCOL x.x.x.16 0.0.0.13 (SRC) x.x.x.0 0.0.0.127

WOULD LINE 1 DENY ALL 14 HOSTS ON .16 SUBNET FROM ACCESSING UPPER RANGE OF UNSUBNETTED CLASS C HOSTS?

IS IT VALID TO DO .128 in 4th octet of SRC FILTER ADDRESS and THEN A WILDCARD MASK OF .128 IN 4th OCTET OF WILDCARD MASK ? WILL THIS BLOCK ACCESS TO THE UPPER RANGE

BUT THEN IN LINE 2 ALLOW PKTS THAT MATCH SCR RANGE WITH LOWER RANGE .0 in 4th octet (SRC) and .127 in 4th octet of wildcard mask.
· Share on FacebookShare on Twitter

Comments

  • HumperHumper Member Posts: 647
    Since your english lacks majorly, I am going to post the answer to your first question, and that's it.

    access-list 100 permit <protocol> x.x.x.16 0.0.0.15 x.x.x.0 0.0.0.127


    From your question I am assuming you want to deny a /28 (source network) entering a /25 (destination network).
    Now working full time!
    · Share on FacebookShare on Twitter
  • dublin_101dublin_101 Member Posts: 36 ■■□□□□□□□□
    with ACLs forget classes man...nothing to do with it......as mentioned above, all you need to do is concentrate on the subnet..........


    if you want to permit or deny hosts to a certain network...you just look at how many subnet mask bits there are......so if there are 27....you know that there are 5 host bits.......so the wildcard would be 5 bits all with 1....so 11111 in decimal is equal to 31 in decimal

    example, you want to permit traffic to all hosts of network 201.10.10.32/27.....to access "any" network .......you would do the following:

    ip access-list 100 permit ip 201.10.10.32 0.0.0.31 any


    if you wanted to allow access for the same network only to a specific network, eg only allow the network to access network 138.13.43.25/19........all we do in look at the subnet bits, being 19, and the host bits we make all ones...so the first 19 bits of the octets will be 0s and the rest 1s.....that would give us 0.0.248.255.............we would then have an access list as such:

    ip access-list 100 permit ip 201.10.10.32 0.0.0.31 138.13.43.25 0.0.7.255



    ps...the "any" word is a substitute word for 0.0.0.0 255.255.255.255 meaning any destination.......


    so to sum it up, when you are permitting/denying for a whole network, you just have the decimal figure of all 1s in the host bits section of your octet/s!!!

    i hope you understand this!!
    · Share on FacebookShare on Twitter
Sign In or Register to comment.