Access Control List exceptions

Answered Question
Jan 9th, 2008
User Badges:

hi

i would like to block a network 10.10.10.0 using an ACL but exclude the firts 100 IPs. Is it possible?


thanks

Correct Answer by Richard Burts about 9 years 2 months ago

Bill


This link has information about using access lists on the 2950 switch.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22ea/SCG/swacl.html


The good news is that it clearly says that access lists such as this can be used on the 2950. But the bad news is that it says that an access list on an interface can use only a single mask.


Based on this I do not believe that the access list as we have shown it could be applied to an interface on the 2950.


HTH


Rick

Correct Answer by simaskvilius about 9 years 2 months ago

There are no one line way to do it, but the easiest way to do it is this way (if you want to block source addresses):

access-list 10 permit ip 10.10.10.0 0.0.0.63

access-list 10 permit ip 10.10.10.64 0.0.0.63

access-list 10 permit ip 10.10.10.96 0.0.0.3

access-list 10 permit ip 10.10.10.100 0.0.0.0

access-list 10 deny ip 10.10.10.0 0.0.0.255


You must understand same techniques, which are used in summarization to be able to create efficient access-lists.

Correct Answer by Richard Burts about 9 years 2 months ago

Bill


It is certainly possible to exclude the first 100 IPs. It would take multiple statements to do it, but it certainly can be done. If you want to block 10.10.10..0 you could have a single statement to deny that address block. If you want to exclude the first 100 addresses you would have to put statements before the deny for 10.10.10.0 that would permit the first 100 addresses. So the access list might look something like this:

access-list 1 permit 10.10.10.0 0.0.0.63 (permits 0 through 63)

access-list 1 permit 10.10.10.64 0.0.0.31 (permits 64 through 95)

access-list 1 permit 10.10.10.96 0.0.0.3 (permits 96 through 99)

access-list 1 permit 10.10.10.100 0.0.0.0 (permits 100)

access-list 1 deny 10.10.10.0 0.0.255


Or if you want an extended access list you could write it that way. The important concept is the combination of statements and masks to include the first 100 addresses.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Richard Burts Wed, 01/09/2008 - 10:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bill


It is certainly possible to exclude the first 100 IPs. It would take multiple statements to do it, but it certainly can be done. If you want to block 10.10.10..0 you could have a single statement to deny that address block. If you want to exclude the first 100 addresses you would have to put statements before the deny for 10.10.10.0 that would permit the first 100 addresses. So the access list might look something like this:

access-list 1 permit 10.10.10.0 0.0.0.63 (permits 0 through 63)

access-list 1 permit 10.10.10.64 0.0.0.31 (permits 64 through 95)

access-list 1 permit 10.10.10.96 0.0.0.3 (permits 96 through 99)

access-list 1 permit 10.10.10.100 0.0.0.0 (permits 100)

access-list 1 deny 10.10.10.0 0.0.255


Or if you want an extended access list you could write it that way. The important concept is the combination of statements and masks to include the first 100 addresses.


HTH


Rick

bkoum Wed, 01/09/2008 - 11:48
User Badges:

may i ask if this Acl can work on a 2950 switch with 12.1(22)EA8 IOS . its a layer 2 switch but somewhere i read that i can obdain acl using vlans.

Correct Answer
Richard Burts Wed, 01/09/2008 - 12:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bill


This link has information about using access lists on the 2950 switch.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22ea/SCG/swacl.html


The good news is that it clearly says that access lists such as this can be used on the 2950. But the bad news is that it says that an access list on an interface can use only a single mask.


Based on this I do not believe that the access list as we have shown it could be applied to an interface on the 2950.


HTH


Rick

Correct Answer
simaskvilius Wed, 01/09/2008 - 11:13
User Badges:

There are no one line way to do it, but the easiest way to do it is this way (if you want to block source addresses):

access-list 10 permit ip 10.10.10.0 0.0.0.63

access-list 10 permit ip 10.10.10.64 0.0.0.63

access-list 10 permit ip 10.10.10.96 0.0.0.3

access-list 10 permit ip 10.10.10.100 0.0.0.0

access-list 10 deny ip 10.10.10.0 0.0.0.255


You must understand same techniques, which are used in summarization to be able to create efficient access-lists.

Richard Burts Wed, 01/09/2008 - 11:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Simas


This is a good answer with 1 small careless mistake. The line:

access-list 10 permit ip 10.10.10.64 0.0.0.63

has the wrong mask. It should be:

access-list 10 permit ip 10.10.10.64 0.0.0.31


HTH


Rick

Richard Burts Wed, 01/09/2008 - 11:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bill


I am glad that my answer was helpful in resolving your question. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read answers that resolved the question.


The forum is a very effective place to learn. I encourage you to continue your participation in the forum.


HTH


Rick

Actions

This Discussion