Question about Cisco ACL
mrblackmamba343
Inactive Imported Users Posts: 136
in CCNA & CCENT
I have a /16 which is 172.20.0.0/16.
And I have divided it up into /29's for example 172.20.1.0/29
it is possible to write one ACL which denies the second address in each /29?
For example for 172.20.1.2/29, 172.20.1.10/29, 172.28.2.18/29 etc....
Will that be possible?
And I have divided it up into /29's for example 172.20.1.0/29
it is possible to write one ACL which denies the second address in each /29?
For example for 172.20.1.2/29, 172.20.1.10/29, 172.28.2.18/29 etc....
Will that be possible?
Comments
-
Gngogh Member Posts: 165 ■■■□□□□□□□yes, you have to write ACL for every subnet... in one line is not possible.
access-list 101 deny ip host 172.20.1.2 any
access-list 101 deny ip host 172.20.1.10 any
access-list 101 deny ip host 172.20.1.18 any
and so on... -
mrblackmamba343 Inactive Imported Users Posts: 136yes, you have to write ACL for every subnet... in one line is not possible.
access-list 101 deny ip host 172.20.1.2 any
access-list 101 deny ip host 172.20.1.10 any
access-list 101 deny ip host 172.20.1.18 any
and so on...
or you can create a Object Group, but this is beyond my limited knowledge.
I know I can create host deny statements but I want to kill more birds with one stone.
Can I have one ACL to accomplish this? -
f0rgiv3n Member Posts: 598 ■■■■□□□□□□I sat here and wrote it out and as far as I can figure out there isn't a way to do that. The second host address in each subnet would have to have something (binary bits) in common that none of the others do in order for that to work.
You can do things like reference only odds or evens (255.255.255.1) but I don't think you can do this. I could be convinced otherwise but I can't figure out how it would work. -
Gngogh Member Posts: 165 ■■■□□□□□□□Packet tracer is very limited, i dont know if you are using it or you have proper hardware??? if so read this article
Security Configuration Guide: Access Control Lists, Cisco IOS Release 12.4T - Object Groups for ACLs [Support] - Cisco
i think you can do it if you create an object-group with all the ip addresses you want to deny and apply that object-group to an Extended ACL.
My problem is that in packet tracer i cannot create object-groups.. -
mrblackmamba343 Inactive Imported Users Posts: 136I sat here and wrote it out and as far as I can figure out there isn't a way to do that. The second host address in each subnet would have to have something (binary bits) in common that none of the others do in order for that to work.
You can do things like reference only odds or evens (255.255.255.1) but I don't think you can do this. I could be convinced otherwise but I can't figure out how it would work.
Can one ACL accomplish it? -
f0rgiv3n Member Posts: 598 ■■■■□□□□□□Yes, you can use object-groups but I was thinking that the OP was asking if you could do it via subnet mask.mrblackmamba343 wrote: »what about the last host in the subnet?
Can one ACL accomplish it?
That'll be the same issue. There aren't any bits in common with only the last host in the subnet that others don't share. You wouldn't be able to reference only those by subnet without grabbing others in the process.