Options

Question about Cisco ACL

mrblackmamba343mrblackmamba343 Inactive Imported Users Posts: 136
in CCNA & CCENT
I have a /16 which is 172.20.0.0/16.

And I have divided it up into /29's for example 172.20.1.0/29



it is possible to write one ACL which denies the second address in each /29?

For example for 172.20.1.2/29, 172.20.1.10/29, 172.28.2.18/29 etc....


Will that be possible?
· Share on FacebookShare on Twitter

Comments

  • Options
    GngoghGngogh Member Posts: 165 ■■■□□□□□□□
    yes, you have to write ACL for every subnet... in one line is not possible.

    access-list 101 deny ip host 172.20.1.2 any
    access-list 101 deny ip host 172.20.1.10 any
    access-list 101 deny ip host 172.20.1.18 any

    and so on...
    · Share on FacebookShare on Twitter
  • Options
    mrblackmamba343mrblackmamba343 Inactive Imported Users Posts: 136
    Gngogh wrote: »
    yes, you have to write ACL for every subnet... in one line is not possible.

    access-list 101 deny ip host 172.20.1.2 any
    access-list 101 deny ip host 172.20.1.10 any
    access-list 101 deny ip host 172.20.1.18 any

    and so on...

    or you can create a Object Group, but this is beyond my limited knowledge.

    I know I can create host deny statements but I want to kill more birds with one stone.

    Can I have one ACL to accomplish this?
    · Share on FacebookShare on Twitter
  • Options
    f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    I sat here and wrote it out and as far as I can figure out there isn't a way to do that. The second host address in each subnet would have to have something (binary bits) in common that none of the others do in order for that to work.

    You can do things like reference only odds or evens (255.255.255.1) but I don't think you can do this. I could be convinced otherwise but I can't figure out how it would work.
    · Share on FacebookShare on Twitter
  • Options
    GngoghGngogh Member Posts: 165 ■■■□□□□□□□
    Packet tracer is very limited, i dont know if you are using it or you have proper hardware??? if so read this article

    Security Configuration Guide: Access Control Lists, Cisco IOS Release 12.4T - Object Groups for ACLs [Support] - Cisco

    i think you can do it if you create an object-group with all the ip addresses you want to deny and apply that object-group to an Extended ACL.

    My problem is that in packet tracer i cannot create object-groups.. icon_sad.gif
    · Share on FacebookShare on Twitter
  • Options
    mrblackmamba343mrblackmamba343 Inactive Imported Users Posts: 136
    f0rgiv3n wrote: »
    I sat here and wrote it out and as far as I can figure out there isn't a way to do that. The second host address in each subnet would have to have something (binary bits) in common that none of the others do in order for that to work.

    You can do things like reference only odds or evens (255.255.255.1) but I don't think you can do this. I could be convinced otherwise but I can't figure out how it would work.
    what about the last host in the subnet?

    Can one ACL accomplish it?
    · Share on FacebookShare on Twitter
  • Options
    f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    Yes, you can use object-groups but I was thinking that the OP was asking if you could do it via subnet mask.
    mrblackmamba343 wrote: »
    what about the last host in the subnet?

    Can one ACL accomplish it?

    That'll be the same issue. There aren't any bits in common with only the last host in the subnet that others don't share. You wouldn't be able to reference only those by subnet without grabbing others in the process.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.