ACL Question

Unanswered Question
Dec 10th, 2007

Dear All,

I am bit confuse about this kinda of ACL configuration, let's say to prevent 10.10.10.60 ~ 10.10.10.80 hosts traffic pass through serial interface. what wildmask can I use?

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 12/10/2007 - 19:08

Hi

Well you can't cover this off with one mask but you could do

host 10.10.10.60

host 10.10.10.61

host 10.10.10.62

host 10.10.10.63

host 10.10.10.64 0.0.0.15

host 10.10.10.80

the 10.10.10.64 entry has a wildcard mask of 0.0.0.15 which covers the hosts 10.10.10.64 -> 10.10.10.79

Jon

Edison Ortiz Mon, 12/10/2007 - 19:13

You will need the following entries

! Deny from 10.10.10.60-63

access-list deny ip 10.10.10.60 0.0.0.3 any

! Deny from 10.10.10.64-71

access-list deny ip 10.10.10.64 0.0.0.7 any

! Deny from 10.10.10.72-79

access-list deny ip 10.10.10.72 0.0.0.7 any

! Deny 10.10.10.80

access-list deny ip host 10.10.10.80 any

! Permit rest of the traffic

access-list 101 permit ip any any

interface sx/x

ip access-group 101 out

guruprasadr Mon, 12/10/2007 - 20:35

HI, [Do Rate ALL HELPFUL HOSTS]

You will need to implement as recommended by Edison.

10.10.10.60 0.0.0.3

Means =

Firs Adr: 10.10.10.60

Last Adr: 10.10.10.63

This way you need to Split the overall Subnet and write Deny Rule then Permit other IP Address because without any permit statements for other IP Ranges the implicit deny will come into Action.

Do Rate ALL HELPFUL HOSTS

Best Regards,

Guru Prasad R

Actions

This Discussion