Options

access list

linux44linux44 Member Posts: 38 ■■□□□□□□□□
in CCNA & CCENT
hi
i am using packet tracer and want to implement some access list

i want to deny any traffic from network address 10.0.0.128/25 to network .... using extended access list .
these ar the commands that i use
ip access-li extended cisco
deny tcp 10.0.0.128 [subnet mask] [dest ip] [dest mask]
deny udp 10.0.0.128 [subnet mask] [dest ip] [dest mask]
deny icmp 10.0.0.128 [subnet mask] [dest ip] [dest mask]
deny ip 10.0.0.128 [subnet mask] [dest ip] [dest mask]
and these are loads of command to achive one point where i could achive it by using standard access list by typing
deny [ipadd] [mask] any any

is there any easier way to the my requirment insted of typing 4 line of command using extended access list
??

tnx
· Share on FacebookShare on Twitter

Comments

  • Options
    meadITmeadIT Member Posts: 581 ■■■■□□□□□□
    I believe this line is the only one you would need for an extended ACL:

    deny ip 10.0.0.128 [subnet mask] [dest ip] [dest mask]

    You'll also have to follow it up with a permit ip any any or all packets from any host will be discarded. (If the packet does not match any part of the access list, it is denied by default)

    Edit: Actually, you wouldn't need to include the subnet mask or anything like that, you would just need this:
    deny ip host 10.0.0.128 any
permit ip any any

    This will block any packets from the IP address addressed to any address, and then permit any other source to pass through.
    CERTS: VCDX #110 / VCAP-DCA #500 (v5 & 4) / VCAP-DCD #10(v5 & 4) / VCP 5 & 4 / EMCISA / MCSE 2003 / MCTS: Vista / CCNA / CCENT / Security+ / Network+ / Project+ / CIW Database Design Specialist, Professional, Associate
    · Share on FacebookShare on Twitter
  • Options
    linux44linux44 Member Posts: 38 ■■□□□□□□□□
    meadIT wrote: »
    I believe this line is the only one you would need for an extended ACL:

    deny ip 10.0.0.128 [subnet mask] [dest ip] [dest mask]

    You'll also have to follow it up with a permit ip any any or all packets from any host will be discarded. (If the packet does not match any part of the access list, it is denied by default)

    Edit: Actually, you wouldn't need to include the subnet mask or anything like that, you would just need this:
    deny ip host 10.0.0.128 any
permit ip any any

    This will block any packets from the IP address addressed to any address, and then permit any other source to pass through.

    i want to deny all the traffic and that mean udp,tcp,

    are u trying to say that tcp is part of ip ?
    · Share on FacebookShare on Twitter
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    linux44 wrote: »
    i want to deny all the traffic and that mean udp,tcp,

    are u trying to say that tcp is part of ip ?


    Deny ip is going to block any ip traffic including udp and tcp.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Options
    meadITmeadIT Member Posts: 581 ■■■■□□□□□□
    linux44 wrote: »
    i want to deny all the traffic and that mean udp,tcp,

    are u trying to say that tcp is part of ip ?

    I'm sure someone will correct me if I'm wrong, but yes. If you look at the syntax examples on this page you will notice that for IP you do not specify a port number, but you have to on TCP and UDP:Configuring IP Access Lists - Cisco Systems

    Think of IP as blocking all TCP/IP traffic and TCP and UDP blocking certain ports. You also have to specify the type of ICMP traffic you are blocking/permitting (example: echo for pings).
    CERTS: VCDX #110 / VCAP-DCA #500 (v5 & 4) / VCAP-DCD #10(v5 & 4) / VCP 5 & 4 / EMCISA / MCSE 2003 / MCTS: Vista / CCNA / CCENT / Security+ / Network+ / Project+ / CIW Database Design Specialist, Professional, Associate
    · Share on FacebookShare on Twitter
Sign In or Register to comment.