ACL Question

Hi guys,

got a question for you, if you were assigned the network address
172.168.1.0 and subnetted the network to 172.168.1.0/20

so we have block sizes of 16 and you wanted to block half a subnetwork for example block the first half of 172.168.16.1 - 172.169.16.254 subnetwork

so you wanted the hosts with the ip address range 16.168.16.1 - 16.168.16.127 to be able to access a resouce but have the top half of this subnet to be blocked. What would the ACL be? just a simple source address blocking.

Cheers guys for feedback

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

sprkymrk

MAC_GLASGOW wrote:

got a question for you, if you were assigned the network address 172.168.1.0 and subnetted the network to 172.168.1.0/20

Did you mean 172.168.1.0/20 or 172.168.1.0/24 or 172.168.1.0/28?

MAC_GLASGOW wrote:

so we have block sizes of 16 and you wanted to block half a subnetwork for example block the first half of 172.168.16.1 - 172.169.16.254 subnetwork

Now you have a 169 in the second octet, typo? Block sizes of 16? So did you mean the subnet was divided into a 172.168.1.0/28 in order to create 16 networks of 14 hosts each? Also assuming you meant 192.168.1.0, otherwise we are dealing with a class B address where 16 networks and a /20 will actually give you 16 networks with 4096 hosts each. Can you please clarify? I am still on my first cup of coffee this morning.

PCHoldmann

First of all, a /20 would be 16.0 - 31.255 and your networks keep changing, but if you wanted to block the top half of a /24, you could use something like

access-list 100 permit ip 172.16.16.0 0.0.0.15 any

This would permit anything from 172.16.16.0 - 127, and deny anything else.

MAC_GLASGOW

Sorry the 169 was a typo.

if you had 172.168.1.0 / 20 - 255.255.255.240

so first subnet address would be 172.168.0.0 and next block would be 172.168.16.0 and so on

EdTheLad

For just a simple block of the source range 172.168.1.16-31
Everything else will be blocked as there is an implicit deny at the end.

access-list 1 permit 172.168.1.16 0.0.0.15

sprkymrk

MAC_GLASGOW wrote:

Sorry the 169 was a typo.

if you had 172.168.1.0 / 20 - 255.255.255.240

so first subnet address would be 172.168.0.0 and next block would be 172.168.16.0 and so on

Wouldn't that be 172.168.1.0/20 255.255.240.0? You are confusing me!

Which, by the way, is not all that hard to do.

MAC_GLASGOW

Sorry dude, just read what I typed I will get back to you tomorrow when hangover and clud wear off lol

david_r

If you are talking about 17.168.16.128/25 or 17.168.16.128 255.255.255.128, It would look like this. 17.168.16.128 0.0.0.127

But you need to allow what you need to allow.

access-list 1 permit 17.168.16.0 0.0.0.127