ACL Question

MAC_GLASGOWMAC_GLASGOW Inactive Imported Users Posts: 27 ■□□□□□□□□□
in CCNA & CCENT
Hi guys,

got a question for you, if you were assigned the network address
172.168.1.0 and subnetted the network to 172.168.1.0/20

so we have block sizes of 16 and you wanted to block half a subnetwork for example block the first half of 172.168.16.1 - 172.169.16.254 subnetwork

so you wanted the hosts with the ip address range 16.168.16.1 - 16.168.16.127 to be able to access a resouce but have the top half of this subnet to be blocked. What would the ACL be? just a simple source address blocking.

Cheers guys for feedback
· Share on FacebookShare on Twitter

Comments

  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    MAC_GLASGOW wrote:
    got a question for you, if you were assigned the network address 172.168.1.0 and subnetted the network to 172.168.1.0/20
    Did you mean 172.168.1.0/20 or 172.168.1.0/24 or 172.168.1.0/28?
    MAC_GLASGOW wrote:
    so we have block sizes of 16 and you wanted to block half a subnetwork for example block the first half of 172.168.16.1 - 172.169.16.254 subnetwork
    Now you have a 169 in the second octet, typo? Block sizes of 16? So did you mean the subnet was divided into a 172.168.1.0/28 in order to create 16 networks of 14 hosts each? Also assuming you meant 192.168.1.0, otherwise we are dealing with a class B address where 16 networks and a /20 will actually give you 16 networks with 4096 hosts each. Can you please clarify? I am still on my first cup of coffee this morning. icon_lol.gif
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • PCHoldmannPCHoldmann Member Posts: 450
    First of all, a /20 would be 16.0 - 31.255 and your networks keep changing, but if you wanted to block the top half of a /24, you could use something like

    access-list 100 permit ip 172.16.16.0 0.0.0.15 any

    This would permit anything from 172.16.16.0 - 127, and deny anything else.
    There's no place like ^$
    Visit me at Route, Switch, Blog
    · Share on FacebookShare on Twitter
  • MAC_GLASGOWMAC_GLASGOW Inactive Imported Users Posts: 27 ■□□□□□□□□□
    Sorry the 169 was a typo.

    if you had 172.168.1.0 / 20 - 255.255.255.240

    so first subnet address would be 172.168.0.0 and next block would be 172.168.16.0 and so on
    · Share on FacebookShare on Twitter
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    For just a simple block of the source range 172.168.1.16-31
    Everything else will be blocked as there is an implicit deny at the end.

    access-list 1 permit 172.168.1.16 0.0.0.15
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
    · Share on FacebookShare on Twitter
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    MAC_GLASGOW wrote:
    Sorry the 169 was a typo.

    if you had 172.168.1.0 / 20 - 255.255.255.240

    so first subnet address would be 172.168.0.0 and next block would be 172.168.16.0 and so on
    Wouldn't that be 172.168.1.0/20 255.255.240.0? You are confusing me! icon_lol.gif
    Which, by the way, is not all that hard to do. icon_lol.gif
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • MAC_GLASGOWMAC_GLASGOW Inactive Imported Users Posts: 27 ■□□□□□□□□□
    Sorry dude, just read what I typed I will get back to you tomorrow when hangover and clud wear off lol
    · Share on FacebookShare on Twitter
  • david_rdavid_r Member Posts: 112
    If you are talking about 17.168.16.128/25 or 17.168.16.128 255.255.255.128, It would look like this. 17.168.16.128 0.0.0.127

    But you need to allow what you need to allow.

    access-list 1 permit 17.168.16.0 0.0.0.127
    · Share on FacebookShare on Twitter
Sign In or Register to comment.