Access-list problem

I have an access-list problem that I can't get past.

For example, if I wanted to block the addres range of 192.168.12.7-192.168.12.11 to anything, how would this be written? I want to allow traffic from 12.0-12.6 and 12.12-12.255. Can this ACL be written with this information?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

LOkrasa

Golden rule is to write a ACL to permit the traffic you want to pass through and let it deny the rest. If you want to just allow that ip range then write a permit statement for that one subnet and let the ACL let do the blocking for the other.

cisco_trooper

Your ACL is going to be more than a one-liner in this case because the hosts you wish to affect with your ACL do not fall "neatly" on subnet boundaries. Try something like this - I used an extended but it's simple enough to switch to standard if that's what works best for you.

access-list 100 deny   ip host 192.168.12.7 any
access-list 100 deny   ip 192.168.12.8 0.0.0.3 any
access-list 100 permit ip 192.168.12.0 0.0.0.255 any
access-list 100 deny   ip any any

Crunchyhippo

cisco_trooper wrote:
Your ACL is going to be more than a one-liner in this case because the hosts you wish to affect with your ACL do not fall "neatly" on subnet boundaries. Try something like this - I used an extended but it's simple enough to switch to standard if that's what works best for you.
access-list 100 deny   ip host 192.168.12.7 any
access-list 100 deny   ip 192.168.12.8 0.0.0.3 any
access-list 100 permit ip 192.168.12.0 0.0.0.255 any
access-list 100 deny   ip any any

Ok, it took me a moment to realize what you had done, but it looks like it would work. Since there's an implicit "deny all" at the end of the ACL, the last line would be left off I assume. But I knew my request wasn't a nice and neat one, so this was good practice.

APA

due to implicit deny at the end yes you can leave the last line off.....

However in a troubleshooting scenario you would put on 'deny ip any any log' as the last line to act as the implicit deny and to enable you to see if traffic is getting blocked when it shouldn't be...

Plazma

A.P.A wrote:

However in a troubleshooting scenario you would put on 'deny ip any any log' as the last line to act as the implicit deny and to enable you to see if traffic is getting blocked when it shouldn't be...

+ 1 to this... this has saved my skin on numerous occasions

Quick Links

All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of