Standar Access List
arsalan921
Member Posts: 56 ■■□□□□□□□□
in CCNA & CCENT
Hello,
I would like to ask how to block a range of ip addresses using standard ip access list.
Example. I want to block Ip addresses in range 10.0.0.21 to 10.0.0.79, and allow all other IP addresses in the range 10.0.0.1 to 10.0.0.20, then 10.0.0.80 to 10.0.0.254
from what i have read,
we will take AND of 21 and 79, will get 5,
then take XOR of 21 and 79, will get 90.
access-list would become..
access-list 10 deny 10.0.0.5 0.0.0.90
but when i implement this in lab, it doesn't work as required.
please help.
I would like to ask how to block a range of ip addresses using standard ip access list.
Example. I want to block Ip addresses in range 10.0.0.21 to 10.0.0.79, and allow all other IP addresses in the range 10.0.0.1 to 10.0.0.20, then 10.0.0.80 to 10.0.0.254
from what i have read,
we will take AND of 21 and 79, will get 5,
then take XOR of 21 and 79, will get 90.
access-list would become..
access-list 10 deny 10.0.0.5 0.0.0.90
but when i implement this in lab, it doesn't work as required.
please help.
Comments
-
CaySpekko
Member Posts: 14 ■□□□□□□□□□
remember acl have an implied deny all at the end
so you need to add
access-list 10 permit any -
hiddenknight821
Member Posts: 1,209 ■■■■■■□□□□
arsalan921 wrote: »Hello,
I would like to ask how to block a range of ip addresses using standard ip access list.
Example. I want to block Ip addresses in range 10.0.0.21 to 10.0.0.79, and allow all other IP addresses in the range 10.0.0.1 to 10.0.0.20, then 10.0.0.80 to 10.0.0.254
from what i have read,
we will take AND of 21 and 79, will get 5,
then take XOR of 21 and 79, will get 90.
access-list would become..
access-list 10 deny 10.0.0.5 0.0.0.90
but when i implement this in lab, it doesn't work as required.
please help.
That logic doesn't make sense at all. You either need to have a rule where you want to allow certain range to come through or deny/block certain range. There is no such thing as having both in the same ACL rule since there is always an implicit deny all in all ACL.
The only way you can achieve that is if you create another ACL. One ACL that allow or block the incoming traffic per INTERFACE. Another one that allow or block the outgoing traffic on the same aforementioned INTERFACE. You can only have one ACL per direction per interface.
No offense, but your example is very poor since the wildmask won't work for the range you are trying to accomplish. You should expect overlaps since the best wildcard I can pick for the 10.0.0.21-10.0.0.79 range is 0.0.0.63.
However, there is always a way to circumvent this, but it's time-consuming and inconvenience. The minimum numbers of line you can do this is 28 if you did it this way:
For the 10.0.0.21-10.0.0.31, you would have to block each individual address. The same goes for 10.0.0.64-10.0.0.79. For the 10.0.0.32-10.0.0.63, you can use the wildward 0.0.0.31. This is some serious tendious task, so whoever design this crap network might want to think twice. -
hiddenknight821
Member Posts: 1,209 ■■■■■■□□□□
try this:
access-list 1 permit 10.0.0.0 0.0.0.15
access-list 1 permit 10.0.0.16 0.0.0.3
access-list 1 permit 10.0.0.80 0.0.0.127
access-list 1 permit 10.0.0.208 0.0.0.31
access-list 1 permit 10.0.0.240 0.0.0.15
EDIT:
Thought I would surely get a laugh out of this...guess not.
Lol, it's not that we are not laughing with you. We came in too late to get this
-
pham0329
Member Posts: 556
You can certainly have permit/deny statements in the same ACL. How else would you deny one IP using an ACL without denying everything else?That logic doesn't make sense at all. You either need to have a rule where you want to allow certain range to come through or deny/block certain range. There is no such thing as having both in the same ACL rule since there is always an implicit deny all in all ACL.
For example, if I only have
access-list 10 deny 10.0.0.1 0.0.0.0 without any permit statement, everything else gets dropped as well.
Time consuming? maybe....minimum number of line is 28? not really.No offense, but your example is very poor since the wildmask won't work for the range you are trying to accomplish. You should expect overlaps since the best wildcard I can pick for the 10.0.0.21-10.0.0.79 range is 0.0.0.63.
However, there is always a way to circumvent this, but it's time-consuming and inconvenience. The minimum numbers of line you can do this is 28hoever design this crap network might want to think twice.
Not saying I don't agree with you, bu there are times when you have no choice but to prevent certain traffic within a VLAN, without separating them into different VLANs. That's why things like Private VLANs and VACL exists. -
Monkerz
Member Posts: 842
This should work for you.access-list 1 deny 10.0.0.21 access-list 1 deny 10.0.0.22 0.0.0.1 access-list 1 deny 10.0.0.24 0.0.0.7 access-list 1 deny 10.0.0.32 0.0.0.31 access-list 1 deny 10.0.0.64 0.0.0.15 access-list 1 permit any
-
pham0329
Member Posts: 556
It's a little long, but this should work for you.
access-list 1 deny 10.0.0.21 access-list 1 deny 10.0.0.22 access-list 1 deny 10.0.0.23 access-list 1 deny 10.0.0.24 0.0.0.7 access-list 1 deny 10.0.0.32 0.0.0.31 access-list 1 deny 10.0.0.64 0.0.0.7 access-list 1 deny 10.0.0.72 0.0.0.3 access-list 1 deny 10.0.0.76 0.0.0.1 access-list 1 deny 10.0.0.78 access-list 1 deny 10.0.0.79 access-list 1 permit any
I didn't really review your earlier ACL and my ACLing skills is a little rusty, but wouldn't something like
permit 10.0.0.0 0.0.0.15
permit 10.0.0.16 0.0.0.3
permit 10.0.0.80 0.0.0.15
permit 10.0.0.96 0.0.0.31
permit 10.0.0.128 0.0.0.127
work as well? -
hiddenknight821
Member Posts: 1,209 ■■■■■■□□□□
You can certainly have permit/deny statements in the same ACL. How else would you deny one IP using an ACL without denying everything else?
For example, if I only have
access-list 10 deny 10.0.0.1 0.0.0.0 without any permit statement, everything else gets dropped as well..
You are right, and I stand correct. Pardon me if I was confusing since my writing is not always in black and white. I did mention there is an implicit deny in all ACL.Time consuming? maybe....minimum number of line is 28? not really.
You win. I can fix this, but I challenge you to prove me wrong since who knows if you could be wrong too. Show the OP how it's done the best way possible.
EDIT: Never mind the challenge. -
hiddenknight821
Member Posts: 1,209 ■■■■■■□□□□
I didn't really review your earlier ACL and my ACLing skills is a little rusty, but wouldn't something like
permit 10.0.0.0 0.0.0.15
permit 10.0.0.16 0.0.0.3
permit 10.0.0.80 0.0.0.15
permit 10.0.0.96 0.0.0.31
permit 10.0.0.128 0.0.0.127
work as well?
I believe Monkerz is right on the nose. -
Monkerz
Member Posts: 842
I didn't really review your earlier ACL and my ACLing skills is a little rusty, but wouldn't something like
permit 10.0.0.0 0.0.0.15
permit 10.0.0.16 0.0.0.3
permit 10.0.0.80 0.0.0.15
permit 10.0.0.96 0.0.0.31
permit 10.0.0.128 0.0.0.127
work as well?
Looks like it should.
I was talking to Verizon's escalation line while typing the example out. I make things more complicated then they should be sometimes... -
alan2308
Member Posts: 1,854 ■■■■■■■■□□
arsalan921 wrote: »
access-list would become..
access-list 10 deny 10.0.0.5 0.0.0.90
but when i implement this in lab, it doesn't work as required.
please help.
This will block 10.0.0.21 and 10.0.0.79, not 10.0.0.21 through 10.0.0.79. You'll need to AND and XOR all of the values, not just the first and last. I tossed it in a spreadsheet and got 10.0.0.0 10.00.20.
