CCNA2 - Accesslist question

vpnn

Manager Hosts (Upper half) : 148.10.9.128 ~ 148.10.9.254 (Usable)
Production Hosts(Lower Half): 148.10.9.1 ~ 148.10.9.127 (Usable)
Subnet Mask : 255.255.255.0 /24
Wildcards: 0.0.0.255

Manager Hosts can access all network 209.0.0.0/24 all protocols. Production Hosts can ONLY access 209.0.0.254 . Deny anyothers ...
-1-
access-list 100 permit ip 148.10.9.0 0.0.0.127 host 209.0.0.254
access-list 100 deny ip 148.10.9.0 0.0.0.127 209.0.0.0 0.0.0.255
access-list 100 permit ip 148.10.9.128 0.0.0.127 209.0.0.0 0.0.0.255
access-list 100 deny ip any 209.0.0.0 0.0.0.255
-->
Or
-2-
access-list 100 permit ip 148.10.9.0 0.0.0.127 host 209.0.0.254
access-list 100 permit ip 148.10.9.128 0.0.0.127 209.0.0.0 0.0.0.255
access-list 100 deny ip any 209.0.0.0 0.0.0.255
-->

Which one is correct? and why?


Finally, Thank you for your time.

EdTheLad

Both are correct, but you dont need so many lines.Only the two lines below are required.Since there is an implicit deny at the end of an access list, any addresses outside the permit ranges will automatically be blocked.

(Production Hosts can ONLY access 209.0.0.254 . Deny any others)
access-list 100 permit ip 148.10.9.0 0.0.0.127 host 209.0.0.254
(Manager Hosts can access all network 209.0.0.0/24 all protocols)
access-list 100 permit ip 148.10.9.128 0.0.0.127 209.0.0.0 0.0.0.255

forbesl

ed_the_lad wrote:

Only the two lines below are required.

Unless you have a syslog server set up and want to log all denies, then you will need to add the deny statement:

access-list 100 deny ip any 209.0.0.0 0.0.0.255 log

With this short of an access list, you wouldn't need to do that; however, if you start working on the job with larger and larger access lists, it is helpful to log all of your denies for troubleshooting purposes. Especially if you have a "deny all, permit by exception" policy on your network.