how to use ACL to block range of ip address?

Unanswered Question
Jul 28th, 2008

I do have vlan 180 was support production network (DHCP and static IP),

how to block all the DHCP scope to access internet.

Vlan 180 range: 10.14.80.1-10.14.95.254/255.255.240.0

DHCP range 10.14.84.1-10.14.89.254/255.255.240.0

Can someone advice whether below configuration correct or not?

access-list 111 deny tcp any 10.14.84.0 0.0.0.255 eq www

access-list 111 deny tcp any 10.14.85.0 0.0.0.255 eq www

access-list 111 deny tcp any 10.14.86.0 0.0.0.255 eq www

access-list 111 deny tcp any 10.14.87.0 0.0.0.255 eq www

access-list 111 deny tcp any 10.14.88.0 0.0.0.255 eq www

access-list 111 deny tcp any 10.14.89.0 0.0.0.255 eq www

Beside that, which interface I should insert below command?

ip access-group 111

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jason Fraioli Mon, 07/28/2008 - 19:20

If this is for a vlan, you might consider using a VACL (VLAN Access List). Basically you would deny traffic to the internet interface, but permit all other traffic.

HTH

bmcginn Mon, 07/28/2008 - 20:08

Mate,

If you want to stop the DHCP scope address range from using port 80 (http) or 443 (https) you can use the below access list inbound on the inside interface.

access-list 111 deny tcp 10.14.84.0 0.0.3.255 any eq www

access-list 111 deny tcp 10.14.89.0 0.0.1.255 any eq www

access-list 111 deny tcp 10.14.84.0 0.0.3.255 any eq 443

access-list 111 deny tcp 10.14.89.0 0.0.1.255 any eq 443

access-list 111 permit ip any any

I think that was what you're after.. Obviously where you put the access-list largely depends on where most of the traffic will originate.

Also, as mentioned above in the previous post, you can use vlan access lists which can cull traffic even before it hits the router!

Good luck!

Wlewx11@@ Mon, 07/28/2008 - 22:43

thx ur advice, why must use wildcard instead 0.0.0.255? Any reason?

BTW,do u think below config more suit my environment? Appreciate u help

access-list 111 deny tcp 10.14.84.0 0.0.3.255 any eq www

access-list 111 deny tcp 10.14.88.0 0.0.3.255 any eq www

access-list 111 deny tcp 10.14.84.0 0.0.3.255 any eq 443

access-list 111 deny tcp 10.14.88.0 0.0.3.255 any eq 443

access-list 111 permit ip any any

bmcginn Mon, 07/28/2008 - 22:51

You don't need to aggregate them if you don't want to. the individual entries using the 24 bit mask will do just as well.

The line "access-list 111 deny tcp 10.14.88.0 0.0.3.255 any eq www" will deny connection to the web for 10.14.88.0/24, 10.14.89.0/24, 10.14.90.0/24 and 10.14.91.0/24.

The DHCP scope you mentioned earlier is 10.14.84.1 up to 10.14.89.254. Therefore if you use the "access-list 111 deny tcp 10.14.88.0 0.0.3.255 any eq www", it will deny connection for the address ranges 10.14.90.0/24 and 10.14.91.0/24 (these two ranges are not in your DHCP pool so I assume you want them to have connection to the Internet?

Marwan ALshawi Mon, 07/28/2008 - 22:06

try to make it like this

access-list 111 deny tcp 10.14.80.0 0.0.15.255 any eq www

then apply it to the inside interface

the interface that connected to your LAN

ip access-group 111 in

you can apply it to your outside inteerface like the following but not recomended because it will be CPU intensive

on ouside interface/

ip access-group 111 out

good luck

rate if helpful

Wlewx11@@ Mon, 07/28/2008 - 22:50

access-list 111 deny tcp 10.14.80.0 0.0.15.255 any eq www

ip range 10.14.80.1 to 10.14.95.254

will this block all internet access?

bmcginn Mon, 07/28/2008 - 22:53

only to port 80, port 443 will still be accessible.

bmcginn Mon, 07/28/2008 - 22:55

correction, it will block access to anything on port 80, and the implicit deny at the end of the access-list will deny all other traffic..

that's why you need the permit ip any any statement afterwards..

Brad

Marwan ALshawi Tue, 07/29/2008 - 05:45

ok this access list

access-list 111 deny tcp 10.14.80.0 0.0.15.255 any eq www

will block http

also its right without second statmaent with permit any will block evrything

but i mention the acl just for the idea of summarizing the address

so for only web traffic

access-list 111 deny tcp 10.14.80.0 0.0.15.255 any eq www

access-list 111 deny tcp 10.14.80.0 0.0.15.255 any eq 443

access-list 111 permit ip any any

then apply it as i mention in the prevous post

rate if helpful

michael.leblanc Tue, 07/29/2008 - 08:58

Lewis:

From a security standpoint, it is preferable to not use "permit ip any any" at the end of your interface ACLs. It is preferable to construct your interface ACLs to only allow traffic permitted by your security policy. Anything not permitted by your security policy should be denied with "deny ip any any log" at the end of your interface ACLs. You might want to transition to this methodology in future implementations.

Ideally you would prevent outbound connection initiation by applying the interface ACL on an internal interface, rather than blocking the return traffic with the interface ACL being applied to an external interface.

You DHCP Scope has been defined as: 10.14.84.1 - 10.14.89.254

The proper masking for this range would be:

10.14.84.0 0.0.3.255 (10.14.84.0 through 10.14.87.0)

10.14.88.0 0.0.1.255 (10.14.88.0 through 10.14.89.0)

Your initial post asked "How to block all the DHCP scope to access internet?", but your ACL specified the keyword "www". It is therefore not clear whether you are seeking to block all access to the Internet, or just HTTP access to the Internet for these hosts.

You've not indicated whether this router resides on your network edge, or elsewhere in your network topology. If these hosts require HTTP access to servers on your network, and the routes to those servers pass through this router, you might want to be careful of using the keyword "any" as the destination in your interface ACLs.

Actions

This Discussion