Access-list problem

CrunchyhippoCrunchyhippo Member Posts: 389
I have an access-list problem that I can't get past.

For example, if I wanted to block the addres range of 192.168.12.7-192.168.12.11 to anything, how would this be written? I want to allow traffic from 12.0-12.6 and 12.12-12.255. Can this ACL be written with this information?
"Computers in the future may weigh no more than 1.5 tons." - Popular Mechanics, 1949

Comments

  • LOkrasaLOkrasa Member Posts: 343 ■■■□□□□□□□
    Golden rule is to write a ACL to permit the traffic you want to pass through and let it deny the rest. If you want to just allow that ip range then write a permit statement for that one subnet and let the ACL let do the blocking for the other.
  • cisco_troopercisco_trooper Too many Member Posts: 1,441 ■■■■□□□□□□
    Your ACL is going to be more than a one-liner in this case because the hosts you wish to affect with your ACL do not fall "neatly" on subnet boundaries. Try something like this - I used an extended but it's simple enough to switch to standard if that's what works best for you.
    access-list 100 deny   ip host 192.168.12.7 any
    access-list 100 deny   ip 192.168.12.8 0.0.0.3 any
    access-list 100 permit ip 192.168.12.0 0.0.0.255 any
    access-list 100 deny   ip any any
    
  • CrunchyhippoCrunchyhippo Member Posts: 389
    Your ACL is going to be more than a one-liner in this case because the hosts you wish to affect with your ACL do not fall "neatly" on subnet boundaries. Try something like this - I used an extended but it's simple enough to switch to standard if that's what works best for you.
    access-list 100 deny   ip host 192.168.12.7 any
    access-list 100 deny   ip 192.168.12.8 0.0.0.3 any
    access-list 100 permit ip 192.168.12.0 0.0.0.255 any
    access-list 100 deny   ip any any
    

    Ok, it took me a moment to realize what you had done, but it looks like it would work. Since there's an implicit "deny all" at the end of the ACL, the last line would be left off I assume. But I knew my request wasn't a nice and neat one, so this was good practice.
    "Computers in the future may weigh no more than 1.5 tons." - Popular Mechanics, 1949
  • APAAPA Member Posts: 959
    due to implicit deny at the end yes you can leave the last line off.....

    However in a troubleshooting scenario you would put on 'deny ip any any log' as the last line to act as the implicit deny and to enable you to see if traffic is getting blocked when it shouldn't be... :)

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • PlazmaPlazma Member Posts: 503
    A.P.A wrote:
    However in a troubleshooting scenario you would put on 'deny ip any any log' as the last line to act as the implicit deny and to enable you to see if traffic is getting blocked when it shouldn't be... :)

    + 1 to this... this has saved my skin on numerous occasions
    CCIE - COMPLETED!
Sign In or Register to comment.