cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2479
Views
0
Helpful
7
Replies

Access Control List exceptions

bkoum
Level 1
Level 1

hi

i would like to block a network 10.10.10.0 using an ACL but exclude the firts 100 IPs. Is it possible?

thanks

3 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

Bill

It is certainly possible to exclude the first 100 IPs. It would take multiple statements to do it, but it certainly can be done. If you want to block 10.10.10..0 you could have a single statement to deny that address block. If you want to exclude the first 100 addresses you would have to put statements before the deny for 10.10.10.0 that would permit the first 100 addresses. So the access list might look something like this:

access-list 1 permit 10.10.10.0 0.0.0.63 (permits 0 through 63)

access-list 1 permit 10.10.10.64 0.0.0.31 (permits 64 through 95)

access-list 1 permit 10.10.10.96 0.0.0.3 (permits 96 through 99)

access-list 1 permit 10.10.10.100 0.0.0.0 (permits 100)

access-list 1 deny 10.10.10.0 0.0.255

Or if you want an extended access list you could write it that way. The important concept is the combination of statements and masks to include the first 100 addresses.

HTH

Rick

HTH

Rick

View solution in original post

simaskvilius
Level 1
Level 1

There are no one line way to do it, but the easiest way to do it is this way (if you want to block source addresses):

access-list 10 permit ip 10.10.10.0 0.0.0.63

access-list 10 permit ip 10.10.10.64 0.0.0.63

access-list 10 permit ip 10.10.10.96 0.0.0.3

access-list 10 permit ip 10.10.10.100 0.0.0.0

access-list 10 deny ip 10.10.10.0 0.0.0.255

You must understand same techniques, which are used in summarization to be able to create efficient access-lists.

View solution in original post

Bill

This link has information about using access lists on the 2950 switch.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22ea/SCG/swacl.html

The good news is that it clearly says that access lists such as this can be used on the 2950. But the bad news is that it says that an access list on an interface can use only a single mask.

Based on this I do not believe that the access list as we have shown it could be applied to an interface on the 2950.

HTH

Rick

HTH

Rick

View solution in original post

7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

Bill

It is certainly possible to exclude the first 100 IPs. It would take multiple statements to do it, but it certainly can be done. If you want to block 10.10.10..0 you could have a single statement to deny that address block. If you want to exclude the first 100 addresses you would have to put statements before the deny for 10.10.10.0 that would permit the first 100 addresses. So the access list might look something like this:

access-list 1 permit 10.10.10.0 0.0.0.63 (permits 0 through 63)

access-list 1 permit 10.10.10.64 0.0.0.31 (permits 64 through 95)

access-list 1 permit 10.10.10.96 0.0.0.3 (permits 96 through 99)

access-list 1 permit 10.10.10.100 0.0.0.0 (permits 100)

access-list 1 deny 10.10.10.0 0.0.255

Or if you want an extended access list you could write it that way. The important concept is the combination of statements and masks to include the first 100 addresses.

HTH

Rick

HTH

Rick

may i ask if this Acl can work on a 2950 switch with 12.1(22)EA8 IOS . its a layer 2 switch but somewhere i read that i can obdain acl using vlans.

Bill

This link has information about using access lists on the 2950 switch.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22ea/SCG/swacl.html

The good news is that it clearly says that access lists such as this can be used on the 2950. But the bad news is that it says that an access list on an interface can use only a single mask.

Based on this I do not believe that the access list as we have shown it could be applied to an interface on the 2950.

HTH

Rick

HTH

Rick

simaskvilius
Level 1
Level 1

There are no one line way to do it, but the easiest way to do it is this way (if you want to block source addresses):

access-list 10 permit ip 10.10.10.0 0.0.0.63

access-list 10 permit ip 10.10.10.64 0.0.0.63

access-list 10 permit ip 10.10.10.96 0.0.0.3

access-list 10 permit ip 10.10.10.100 0.0.0.0

access-list 10 deny ip 10.10.10.0 0.0.0.255

You must understand same techniques, which are used in summarization to be able to create efficient access-lists.

Simas

This is a good answer with 1 small careless mistake. The line:

access-list 10 permit ip 10.10.10.64 0.0.0.63

has the wrong mask. It should be:

access-list 10 permit ip 10.10.10.64 0.0.0.31

HTH

Rick

HTH

Rick

Bill

I am glad that my answer was helpful in resolving your question. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read answers that resolved the question.

The forum is a very effective place to learn. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick

yes, you are right, it is small careless mistake :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco