ACL questions....

Unanswered Question
Jan 18th, 2010
Hi all, I'm new to this Cisco Malarkey so please forgive my half baked questions.....

I've been trying to get my head round configuring ACL's and I just have two things I that I'm unsure of....

1. How do I deny access to a specific IP address and apply this to all hosts?

2. If I want to split a subnet and allow http access to a network is there a simple way to do this e.g. 192.168.6.96 – 192.168.6.103 are allowed access to the 172.16.0.0 network whereas 192.168.6.104 – 192.168.6.110 are not allowed access

Thanks in advance
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 01/18/2010 - 08:04

[email protected]

Hi all, I'm new to this Cisco Malarkey so please forgive my half baked questions.....

I've been trying to get my head round configuring ACL's and I just have two things I that I'm unsure of....

1. How do I deny access to a specific IP address and apply this to all hosts?

2. If I want to split a subnet and allow http access to a network is there a simple way to do this e.g. 192.168.6.96 – 192.168.6.103 are allowed access to the 172.16.0.0 network whereas 192.168.6.104 – 192.168.6.110 are not allowed access

Thanks in advance

Richard

A topology diagram would help us but in general

1) you have something like this

   access-list 101 deny ip any host

   access-list 101 permit ip any any

then where you apply it depends on your topology. If you are denying access to multiple vlans/subnets then you apply it outbound on the interface connecting to the specific host IP eg.

int fa0/0

ip access-group 101 out

if you are denying it to a specific subnet/vlan then you apply it inbound on the interface for that subnet/vlan eg.

int fa0/1

ip access-group 101 in

2) If you can summarise the IP's then yes otherwise you need to list out all the IPs eg.

192.168.6.96 -> 103

access-list 101 permit ip host 192.168.6.96 172.16.0.0 0.0.255 255

access-list 101 permit ip host 192.168.6.97 172.16.0.0 0.0.255.255

etc...

access-list 101 deny ip host 192.168.6.104 172.16.0.0 0.0.255.255

etc...

Edit - like i say, if you could provide a layout and show us what you want to do we could be more specific.

Jon

richard.brookes... Mon, 01/18/2010 - 08:10

Hi Jon,

Thanks for the reply. I'm comfortable with where I need to apply the ACL, but the only thing still confusing me is how you specify a range of addresses.....

For instance if I want to apply an ACL to: 192.168.6.96 – 192.168.6.103

Thanks

Richard

Jon Marshall Mon, 01/18/2010 - 08:16

[email protected]

Hi Jon,

Thanks for the reply. I'm comfortable with where I need to apply the ACL, but the only thing still confusing me is how you specify a range of addresses.....

For instance if I want to apply an ACL to: 192.168.6.96 – 192.168.6.103

Thanks

Richard

Richard

It really does depend on whether you can summarise. If you can't then you need to list all individual addresses as in my last post. So it's really a question of whether we can summarise 192.168.6.96 -> 103 ?

Closest you can get is ->

192.168.6.96 0.0.0.3 which gives you 192.168.6.96 -> 192.168.6.99

192.168.6.1000.0.0.3 which gives you  192.168.6.100 -> 192.168.6.103

so you could do it with the above 2 entries.

Jon

Richard Burts Mon, 01/18/2010 - 11:10

Since Richard tells us that he is new to Cisco it might be helpful to explain the mechanics of how the access list processing is done. In an access list we typically specify an address and a mask. The address part may be fairly evident but the mask is confusing to some people. In IOS devices the mask is a "wildcard" mask in which binary zero indicates bits in the address that must match and binary one indicates bits in the address that do not need to match. So in the example 192.168.6.96 0.0.0.3 the mask of 0.0.0.3 has binary one in the 2 low order bits (do not need to match) and binary zero in all other bits (must match) so this entry would match 4 addresses (192.168.6.96, 192.168.6.97, 192.168.6.98, 192.168.6.99).

HTH

Rick

Actions

This Discussion