ACL Question

Unanswered Question
Dec 10th, 2007
User Badges:

Dear All,


I am bit confuse about this kinda of ACL configuration, let's say to prevent 10.10.10.60 ~ 10.10.10.80 hosts traffic pass through serial interface. what wildmask can I use?


Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 12/10/2007 - 19:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Well you can't cover this off with one mask but you could do


host 10.10.10.60

host 10.10.10.61

host 10.10.10.62

host 10.10.10.63

host 10.10.10.64 0.0.0.15

host 10.10.10.80


the 10.10.10.64 entry has a wildcard mask of 0.0.0.15 which covers the hosts 10.10.10.64 -> 10.10.10.79


Jon


Edison Ortiz Mon, 12/10/2007 - 19:13
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You will need the following entries


! Deny from 10.10.10.60-63

access-list deny ip 10.10.10.60 0.0.0.3 any

! Deny from 10.10.10.64-71

access-list deny ip 10.10.10.64 0.0.0.7 any

! Deny from 10.10.10.72-79

access-list deny ip 10.10.10.72 0.0.0.7 any

! Deny 10.10.10.80

access-list deny ip host 10.10.10.80 any

! Permit rest of the traffic

access-list 101 permit ip any any


interface sx/x

ip access-group 101 out


guruprasadr Mon, 12/10/2007 - 20:35
User Badges:
  • Gold, 750 points or more

HI, [Do Rate ALL HELPFUL HOSTS]


You will need to implement as recommended by Edison.


10.10.10.60 0.0.0.3

Means =

Firs Adr: 10.10.10.60

Last Adr: 10.10.10.63


This way you need to Split the overall Subnet and write Deny Rule then Permit other IP Address because without any permit statements for other IP Ranges the implicit deny will come into Action.


Do Rate ALL HELPFUL HOSTS


Best Regards,


Guru Prasad R


Actions

This Discussion