Compare cert salaries and plan your next career move
arsalan921 wrote: » Hello, I would like to ask how to block a range of ip addresses using standard ip access list. Example. I want to block Ip addresses in range 10.0.0.21 to 10.0.0.79, and allow all other IP addresses in the range 10.0.0.1 to 10.0.0.20, then 10.0.0.80 to 10.0.0.254 from what i have read, we will take AND of 21 and 79, will get 5, then take XOR of 21 and 79, will get 90. access-list would become.. access-list 10 deny 10.0.0.5 0.0.0.90 but when i implement this in lab, it doesn't work as required. please help.
Monkerz wrote: » try this: access-list 1 permit 10.0.0.0 0.0.0.15 access-list 1 permit 10.0.0.16 0.0.0.3 access-list 1 permit 10.0.0.80 0.0.0.127 access-list 1 permit 10.0.0.208 0.0.0.31 access-list 1 permit 10.0.0.240 0.0.0.15 EDIT: Thought I would surely get a laugh out of this...guess not.
That logic doesn't make sense at all. You either need to have a rule where you want to allow certain range to come through or deny/block certain range. There is no such thing as having both in the same ACL rule since there is always an implicit deny all in all ACL.
No offense, but your example is very poor since the wildmask won't work for the range you are trying to accomplish. You should expect overlaps since the best wildcard I can pick for the 10.0.0.21-10.0.0.79 range is 0.0.0.63. However, there is always a way to circumvent this, but it's time-consuming and inconvenience. The minimum numbers of line you can do this is 28
hoever design this crap network might want to think twice.
access-list 1 deny 10.0.0.21 access-list 1 deny 10.0.0.22 0.0.0.1 access-list 1 deny 10.0.0.24 0.0.0.7 access-list 1 deny 10.0.0.32 0.0.0.31 access-list 1 deny 10.0.0.64 0.0.0.15 access-list 1 permit any
Monkerz wrote: » It's a little long, but this should work for you.access-list 1 deny 10.0.0.21 access-list 1 deny 10.0.0.22 access-list 1 deny 10.0.0.23 access-list 1 deny 10.0.0.24 0.0.0.7 access-list 1 deny 10.0.0.32 0.0.0.31 access-list 1 deny 10.0.0.64 0.0.0.7 access-list 1 deny 10.0.0.72 0.0.0.3 access-list 1 deny 10.0.0.76 0.0.0.1 access-list 1 deny 10.0.0.78 access-list 1 deny 10.0.0.79 access-list 1 permit any
access-list 1 deny 10.0.0.21 access-list 1 deny 10.0.0.22 access-list 1 deny 10.0.0.23 access-list 1 deny 10.0.0.24 0.0.0.7 access-list 1 deny 10.0.0.32 0.0.0.31 access-list 1 deny 10.0.0.64 0.0.0.7 access-list 1 deny 10.0.0.72 0.0.0.3 access-list 1 deny 10.0.0.76 0.0.0.1 access-list 1 deny 10.0.0.78 access-list 1 deny 10.0.0.79 access-list 1 permit any
pham0329 wrote: » You can certainly have permit/deny statements in the same ACL. How else would you deny one IP using an ACL without denying everything else? For example, if I only have access-list 10 deny 10.0.0.1 0.0.0.0 without any permit statement, everything else gets dropped as well..
pham0329 wrote: » Time consuming? maybe....minimum number of line is 28? not really.
pham0329 wrote: » I didn't really review your earlier ACL and my ACLing skills is a little rusty, but wouldn't something like permit 10.0.0.0 0.0.0.15 permit 10.0.0.16 0.0.0.3 permit 10.0.0.80 0.0.0.15 permit 10.0.0.96 0.0.0.31 permit 10.0.0.128 0.0.0.127 work as well?
arsalan921 wrote: » access-list would become.. access-list 10 deny 10.0.0.5 0.0.0.90 but when i implement this in lab, it doesn't work as required. please help.
Compare salaries for top cybersecurity certifications. Free download for TechExams community.
