access list
linux44
Member Posts: 38 ■■□□□□□□□□
in CCNA & CCENT
hi
i am using packet tracer and want to implement some access list
i want to deny any traffic from network address 10.0.0.128/25 to network .... using extended access list .
these ar the commands that i use
ip access-li extended cisco
deny tcp 10.0.0.128 [subnet mask] [dest ip] [dest mask]
deny udp 10.0.0.128 [subnet mask] [dest ip] [dest mask]
deny icmp 10.0.0.128 [subnet mask] [dest ip] [dest mask]
deny ip 10.0.0.128 [subnet mask] [dest ip] [dest mask]
and these are loads of command to achive one point where i could achive it by using standard access list by typing
deny [ipadd] [mask] any any
is there any easier way to the my requirment insted of typing 4 line of command using extended access list
??
tnx
i am using packet tracer and want to implement some access list
i want to deny any traffic from network address 10.0.0.128/25 to network .... using extended access list .
these ar the commands that i use
ip access-li extended cisco
deny tcp 10.0.0.128 [subnet mask] [dest ip] [dest mask]
deny udp 10.0.0.128 [subnet mask] [dest ip] [dest mask]
deny icmp 10.0.0.128 [subnet mask] [dest ip] [dest mask]
deny ip 10.0.0.128 [subnet mask] [dest ip] [dest mask]
and these are loads of command to achive one point where i could achive it by using standard access list by typing
deny [ipadd] [mask] any any
is there any easier way to the my requirment insted of typing 4 line of command using extended access list
??
tnx
Comments
-
meadIT
Member Posts: 581 ■■■■□□□□□□
I believe this line is the only one you would need for an extended ACL:
deny ip 10.0.0.128 [subnet mask] [dest ip] [dest mask]
You'll also have to follow it up with a permit ip any any or all packets from any host will be discarded. (If the packet does not match any part of the access list, it is denied by default)
Edit: Actually, you wouldn't need to include the subnet mask or anything like that, you would just need this:deny ip host 10.0.0.128 any permit ip any any
This will block any packets from the IP address addressed to any address, and then permit any other source to pass through.CERTS: VCDX #110 / VCAP-DCA #500 (v5 & 4) / VCAP-DCD #10(v5 & 4) / VCP 5 & 4 / EMCISA / MCSE 2003 / MCTS: Vista / CCNA / CCENT / Security+ / Network+ / Project+ / CIW Database Design Specialist, Professional, Associate -
linux44
Member Posts: 38 ■■□□□□□□□□
I believe this line is the only one you would need for an extended ACL:
deny ip 10.0.0.128 [subnet mask] [dest ip] [dest mask]
You'll also have to follow it up with a permit ip any any or all packets from any host will be discarded. (If the packet does not match any part of the access list, it is denied by default)
Edit: Actually, you wouldn't need to include the subnet mask or anything like that, you would just need this:deny ip host 10.0.0.128 any permit ip any any
This will block any packets from the IP address addressed to any address, and then permit any other source to pass through.
i want to deny all the traffic and that mean udp,tcp,
are u trying to say that tcp is part of ip ? -
networker050184
Mod Posts: 11,962 Mod
i want to deny all the traffic and that mean udp,tcp,
are u trying to say that tcp is part of ip ?
Deny ip is going to block any ip traffic including udp and tcp.An expert is a man who has made all the mistakes which can be made. -
meadIT
Member Posts: 581 ■■■■□□□□□□
i want to deny all the traffic and that mean udp,tcp,
are u trying to say that tcp is part of ip ?
I'm sure someone will correct me if I'm wrong, but yes. If you look at the syntax examples on this page you will notice that for IP you do not specify a port number, but you have to on TCP and UDP:Configuring IP Access Lists - Cisco Systems
Think of IP as blocking all TCP/IP traffic and TCP and UDP blocking certain ports. You also have to specify the type of ICMP traffic you are blocking/permitting (example: echo for pings).CERTS: VCDX #110 / VCAP-DCA #500 (v5 & 4) / VCAP-DCD #10(v5 & 4) / VCP 5 & 4 / EMCISA / MCSE 2003 / MCTS: Vista / CCNA / CCENT / Security+ / Network+ / Project+ / CIW Database Design Specialist, Professional, Associate