11-15-2008 02:49 AM - edited 03-06-2019 02:30 AM
Hi,
please find the VLAN details given below..
VLAN: teamA-VLAN12, teamB-VLAN11, teamC-VLAN13, teamD-VLAN20, teamE-VLAN21
VLAN11=10.138.74.192/26
VLAN12=10.138.75.0/25
VLAN13=10.138.75.128/26
VLAN17=10.138.77.0/24 (server)
VLAN20=10.138.75.192/27
VLAN21=10.138.75.224/27
ACL for teamA
team A should get access of 10.138.77.9,10.138.77.90-10.138.77.101,10.138.77.47-10.138.77.61 and 10.138.76.0-10.138.76.255
team A should not get access of VLAN11, VLAN13 and VLAN 20.
Please find the ACL comnfiguration which I have done..
access-list 112 permit ip 10.138.75.0 0.0.0.126 host 10.138.77.9
access-list 112 permit ip 10.138.75.0 0.0.0.126 10.138.77.90 0.0.0.11
access-list 112 permit ip 10.138.75.0 0.0.0.126 10.138.77.47 0.0.0.14
access-list 112 permit ip 10.138.75.0 0.0.0.126 10.138.76.0 0.0.0.255
access-list 112 deny ip 10.138.75.0 0.0.0.126 10.138.74.192 0.0.0.62
access-list 112 deny ip 10.138.75.0 0.0.0.126 10.138.75.128 0.0.0.62
access-list 112 deny ip 10.138.75.0 0.0.0.126 10.138.75.192 0.0.0.30
access-list 112 deny ip 10.138.75.0 0.0.0.126 10.138.77.0 0.0.0.255
access-list 112 permit ip any any
interface Vlan12
ip access-group 112 in
** but after applying the above ACL, team A unable to access 10.138.77.90-10.138.77.101 and 10.138.77.47-10.138.77.61 range.some other access also blocked.
please help to resolve this issue.
Regards,
som
Solved! Go to Solution.
11-17-2008 04:10 AM
Som,
I have broken down your question into sub-parts below. As Giuseppe had pointed out, this ACL is different from what you have posted.
a) Team A should get access to 10.138.77.9
access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9
!- permits host 10.138.77.9
b) Allow access to 10.138.77.90 - 101
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.7
!- permits IP address range 10.138.77.88-95, need to deny 88-89
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.103 0.0.0.1
!- denies IP address range 10.138.77.88-89
c) Allow access to 10.138.77.47 - 61
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.0
!- permits IP address 10.138.77.47 only
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.48 0.0.0.15
!- permits IP address range 10.138.75.48-63, need to deny 62-63
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.63 0.0.0.1
!- denies access to IP address range 10.138.77.62-63
d) Allow access to 10.138.76.0 - 10.138.76.255
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255
e) Deny access to VLAN11, VLAN13 and VLAN 20.
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63
!- denies VLAN 11
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63
!- denies VLAN 13
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31
!- denies VLAN 20
f) if you want to deny access to the server then specify the server IP address.
access-list 112 deny ip 10.138.75.0 0.0.0.127 host 10.138.77.x
======
access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.7
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.103 0.0.0.1
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.0
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.48 0.0.0.15
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.63 0.0.0.1
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31
access-list 112 deny ip 10.138.75.0 0.0.0.127 host 10.138.77.x
You had permit ip any any in the end. With this you would enable access to all destinations which you have not denied here. Effectively, the permit statements above would not be required if you use permit ip any any in the end. That line should be dropped.
HTH,
~Vaibhav
11-15-2008 04:25 AM
Hello Som,
for net 10.138.75.0/25 the wildcard mask is:
01111111 = 127
126 is = 01111110 and odd addresses like 10.138.75.3 doesn't match these lines
the same reasoning applies to some destinations.
90 = 01011010
101 = 01100101
so they have very less in common
the wildcard masks are to be calculated in binary and then converted in decimal
10.138.77.88 0.0.0.7
will match from 10.138.77.88 t0 10.138.77.95
10.138.77.96 0.0.0.7
will match from 10.138.77.96 to 10.138.77.103
modify all lines following the above suggestions
Hope to help
Giuseppe
11-16-2008 09:45 PM
I have following range of VLAN.
VLAN11=10.138.74.192/26
VLAN12=10.138.75.0/25
VLAN13=10.138.75.128/26
VLAN17=10.138.77.0/24 (server)
VLAN20=10.138.75.192/27
VLAN21=10.138.75.224/27
For example: I need to give access to VLAN 12 like that...
VLAN12 sould get access of below host or network..
10.138.77.9
10.138.77.90-10.138.77.101
10.138.77.47-10.138.77.62
10.138.76.0-10.138.76.255
10.138.75.224-10.138.75.255
Access blocked:
VALN11 (10.138.74.192/26)
VLAN13 (10.138.75.28/26)
VLAN20 (10.138.75.192/27)
VLAN17 (10.138.77.0/24) (server)
Configuration..
access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.15
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.15
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.128 0.0.0.127
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.75.224 0.0.0.31
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.0 0.0.0.127
access-list 112 permit ip any any
Please let me know whether above configuration is ok or not?
11-17-2008 01:40 AM
Hi Somnath,
I think you should change the second line.
to:
2nd access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.11
And what is this doing -> access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.128.0.0.0.127<- i can't understand what/where is this for
HTH
DAK
11-17-2008 01:49 AM
Hi somnath,
You are right only some little correction need to be done. Configure it like this
access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.11
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.15
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.128 0.0.0.127 -> removed this all let me know what for
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.75.224 0.0.0.31
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.28 0.0.0.63
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.0 0.0.0.255
access-list 112 permit ip any any
Then i think it should be fine
HTH
DAK
11-17-2008 01:46 AM
yes ....got it
wildcard mask should be according to block size (2,4,8,16,64).
Thanks!!
11-17-2008 02:30 AM
are you alright with it now ?
HTH
DAK
11-17-2008 04:10 AM
Som,
I have broken down your question into sub-parts below. As Giuseppe had pointed out, this ACL is different from what you have posted.
a) Team A should get access to 10.138.77.9
access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9
!- permits host 10.138.77.9
b) Allow access to 10.138.77.90 - 101
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.7
!- permits IP address range 10.138.77.88-95, need to deny 88-89
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.103 0.0.0.1
!- denies IP address range 10.138.77.88-89
c) Allow access to 10.138.77.47 - 61
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.0
!- permits IP address 10.138.77.47 only
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.48 0.0.0.15
!- permits IP address range 10.138.75.48-63, need to deny 62-63
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.63 0.0.0.1
!- denies access to IP address range 10.138.77.62-63
d) Allow access to 10.138.76.0 - 10.138.76.255
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255
e) Deny access to VLAN11, VLAN13 and VLAN 20.
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63
!- denies VLAN 11
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63
!- denies VLAN 13
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31
!- denies VLAN 20
f) if you want to deny access to the server then specify the server IP address.
access-list 112 deny ip 10.138.75.0 0.0.0.127 host 10.138.77.x
======
access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.7
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.103 0.0.0.1
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.0
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.48 0.0.0.15
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.63 0.0.0.1
access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63
access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31
access-list 112 deny ip 10.138.75.0 0.0.0.127 host 10.138.77.x
You had permit ip any any in the end. With this you would enable access to all destinations which you have not denied here. Effectively, the permit statements above would not be required if you use permit ip any any in the end. That line should be dropped.
HTH,
~Vaibhav
11-17-2008 04:48 AM
Thanks...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: