01-18-2010 07:51 AM - edited 03-06-2019 09:20 AM
01-18-2010 08:04 AM
Hi all, I'm new to this Cisco Malarkey so please forgive my half baked questions.....I've been trying to get my head round configuring ACL's and I just have two things I that I'm unsure of....1. How do I deny access to a specific IP address and apply this to all hosts?2. If I want to split a subnet and allow http access to a network is there a simple way to do this e.g. 192.168.6.96 – 192.168.6.103 are allowed access to the 172.16.0.0 network whereas 192.168.6.104 – 192.168.6.110 are not allowed accessThanks in advance
Richard
A topology diagram would help us but in general
1) you have something like this
access-list 101 deny ip any host
access-list 101 permit ip any any
then where you apply it depends on your topology. If you are denying access to multiple vlans/subnets then you apply it outbound on the interface connecting to the specific host IP eg.
int fa0/0
ip access-group 101 out
if you are denying it to a specific subnet/vlan then you apply it inbound on the interface for that subnet/vlan eg.
int fa0/1
ip access-group 101 in
2) If you can summarise the IP's then yes otherwise you need to list out all the IPs eg.
192.168.6.96 -> 103
access-list 101 permit ip host 192.168.6.96 172.16.0.0 0.0.255 255
access-list 101 permit ip host 192.168.6.97 172.16.0.0 0.0.255.255
etc...
access-list 101 deny ip host 192.168.6.104 172.16.0.0 0.0.255.255
etc...
Edit - like i say, if you could provide a layout and show us what you want to do we could be more specific.
Jon
01-18-2010 08:10 AM
Hi Jon,
Thanks for the reply. I'm comfortable with where I need to apply the ACL, but the only thing still confusing me is how you specify a range of addresses.....
For instance if I want to apply an ACL to: 192.168.6.96 – 192.168.6.103
Thanks
Richard
01-18-2010 08:16 AM
Hi Jon,
Thanks for the reply. I'm comfortable with where I need to apply the ACL, but the only thing still confusing me is how you specify a range of addresses.....
For instance if I want to apply an ACL to: 192.168.6.96 – 192.168.6.103
Thanks
Richard
Richard
It really does depend on whether you can summarise. If you can't then you need to list all individual addresses as in my last post. So it's really a question of whether we can summarise 192.168.6.96 -> 103 ?
Closest you can get is ->
192.168.6.96 0.0.0.3 which gives you 192.168.6.96 -> 192.168.6.99
192.168.6.1000.0.0.3 which gives you 192.168.6.100 -> 192.168.6.103
so you could do it with the above 2 entries.
Jon
01-18-2010 11:10 AM
Since Richard tells us that he is new to Cisco it might be helpful to explain the mechanics of how the access list processing is done. In an access list we typically specify an address and a mask. The address part may be fairly evident but the mask is confusing to some people. In IOS devices the mask is a "wildcard" mask in which binary zero indicates bits in the address that must match and binary one indicates bits in the address that do not need to match. So in the example 192.168.6.96 0.0.0.3 the mask of 0.0.0.3 has binary one in the 2 low order bits (do not need to match) and binary zero in all other bits (must match) so this entry would match 4 addresses (192.168.6.96, 192.168.6.97, 192.168.6.98, 192.168.6.99).
HTH
Rick
01-18-2010 11:46 PM
Hi Richard,
As you are new to cisco,For understanding about access list and implementation of ACL's check out the below link.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
Hope that helps out your query regarding ACL,If helpful do rate the valueble post.
Regards
Ganesh.H
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide