Access Control List exceptions

Answered Question
Jan 9th, 2008

hi

i would like to block a network 10.10.10.0 using an ACL but exclude the firts 100 IPs. Is it possible?

thanks

I have this problem too.
0 votes
Correct Answer by Richard Burts about 8 years 10 months ago

Bill

This link has information about using access lists on the 2950 switch.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22ea/SCG/swacl.html

The good news is that it clearly says that access lists such as this can be used on the 2950. But the bad news is that it says that an access list on an interface can use only a single mask.

Based on this I do not believe that the access list as we have shown it could be applied to an interface on the 2950.

HTH

Rick

Correct Answer by simaskvilius about 8 years 10 months ago

There are no one line way to do it, but the easiest way to do it is this way (if you want to block source addresses):

access-list 10 permit ip 10.10.10.0 0.0.0.63

access-list 10 permit ip 10.10.10.64 0.0.0.63

access-list 10 permit ip 10.10.10.96 0.0.0.3

access-list 10 permit ip 10.10.10.100 0.0.0.0

access-list 10 deny ip 10.10.10.0 0.0.0.255

You must understand same techniques, which are used in summarization to be able to create efficient access-lists.

Correct Answer by Richard Burts about 8 years 10 months ago

Bill

It is certainly possible to exclude the first 100 IPs. It would take multiple statements to do it, but it certainly can be done. If you want to block 10.10.10..0 you could have a single statement to deny that address block. If you want to exclude the first 100 addresses you would have to put statements before the deny for 10.10.10.0 that would permit the first 100 addresses. So the access list might look something like this:

access-list 1 permit 10.10.10.0 0.0.0.63 (permits 0 through 63)

access-list 1 permit 10.10.10.64 0.0.0.31 (permits 64 through 95)

access-list 1 permit 10.10.10.96 0.0.0.3 (permits 96 through 99)

access-list 1 permit 10.10.10.100 0.0.0.0 (permits 100)

access-list 1 deny 10.10.10.0 0.0.255

Or if you want an extended access list you could write it that way. The important concept is the combination of statements and masks to include the first 100 addresses.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Richard Burts Wed, 01/09/2008 - 10:55

Bill

It is certainly possible to exclude the first 100 IPs. It would take multiple statements to do it, but it certainly can be done. If you want to block 10.10.10..0 you could have a single statement to deny that address block. If you want to exclude the first 100 addresses you would have to put statements before the deny for 10.10.10.0 that would permit the first 100 addresses. So the access list might look something like this:

access-list 1 permit 10.10.10.0 0.0.0.63 (permits 0 through 63)

access-list 1 permit 10.10.10.64 0.0.0.31 (permits 64 through 95)

access-list 1 permit 10.10.10.96 0.0.0.3 (permits 96 through 99)

access-list 1 permit 10.10.10.100 0.0.0.0 (permits 100)

access-list 1 deny 10.10.10.0 0.0.255

Or if you want an extended access list you could write it that way. The important concept is the combination of statements and masks to include the first 100 addresses.

HTH

Rick

bkoum Wed, 01/09/2008 - 11:48

may i ask if this Acl can work on a 2950 switch with 12.1(22)EA8 IOS . its a layer 2 switch but somewhere i read that i can obdain acl using vlans.

Correct Answer
Richard Burts Wed, 01/09/2008 - 12:04

Bill

This link has information about using access lists on the 2950 switch.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22ea/SCG/swacl.html

The good news is that it clearly says that access lists such as this can be used on the 2950. But the bad news is that it says that an access list on an interface can use only a single mask.

Based on this I do not believe that the access list as we have shown it could be applied to an interface on the 2950.

HTH

Rick

Correct Answer
simaskvilius Wed, 01/09/2008 - 11:13

There are no one line way to do it, but the easiest way to do it is this way (if you want to block source addresses):

access-list 10 permit ip 10.10.10.0 0.0.0.63

access-list 10 permit ip 10.10.10.64 0.0.0.63

access-list 10 permit ip 10.10.10.96 0.0.0.3

access-list 10 permit ip 10.10.10.100 0.0.0.0

access-list 10 deny ip 10.10.10.0 0.0.0.255

You must understand same techniques, which are used in summarization to be able to create efficient access-lists.

Richard Burts Wed, 01/09/2008 - 11:31

Simas

This is a good answer with 1 small careless mistake. The line:

access-list 10 permit ip 10.10.10.64 0.0.0.63

has the wrong mask. It should be:

access-list 10 permit ip 10.10.10.64 0.0.0.31

HTH

Rick

Richard Burts Wed, 01/09/2008 - 11:34

Bill

I am glad that my answer was helpful in resolving your question. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read answers that resolved the question.

The forum is a very effective place to learn. I encourage you to continue your participation in the forum.

HTH

Rick

Actions

This Discussion