Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
721
Views
0
Helpful
5
Replies

ACL questions....

richard.brookes
Level 1
Level 1

‎01-18-2010 07:51 AM - edited ‎03-06-2019 09:20 AM

Hi all, I'm new to this Cisco Malarkey so please forgive my half baked questions.....

I've been trying to get my head round configuring ACL's and I just have two things I that I'm unsure of....

1. How do I deny access to a specific IP address and apply this to all hosts?

2. If I want to split a subnet and allow http access to a network is there a simple way to do this e.g. 192.168.6.96 – 192.168.6.103 are allowed access to the 172.16.0.0 network whereas 192.168.6.104 – 192.168.6.110 are not allowed access

Thanks in advance
Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎01-18-2010 08:04 AM 

richard.brookes@bdk.com
Hi all, I'm new to this Cisco Malarkey so please forgive my half baked questions.....
I've been trying to get my head round configuring ACL's and I just have two things I that I'm unsure of....
1. How do I deny access to a specific IP address and apply this to all hosts?
2. If I want to split a subnet and allow http access to a network is there a simple way to do this e.g. 192.168.6.96 – 192.168.6.103 are allowed access to the 172.16.0.0 network whereas 192.168.6.104 – 192.168.6.110 are not allowed access
Thanks in advance

Richard

A topology diagram would help us but in general

1) you have something like this

   access-list 101 deny ip any host

   access-list 101 permit ip any any

then where you apply it depends on your topology. If you are denying access to multiple vlans/subnets then you apply it outbound on the interface connecting to the specific host IP eg.

int fa0/0

ip access-group 101 out

if you are denying it to a specific subnet/vlan then you apply it inbound on the interface for that subnet/vlan eg.

int fa0/1

ip access-group 101 in

2) If you can summarise the IP's then yes otherwise you need to list out all the IPs eg.

192.168.6.96 -> 103

access-list 101 permit ip host 192.168.6.96 172.16.0.0 0.0.255 255

access-list 101 permit ip host 192.168.6.97 172.16.0.0 0.0.255.255

etc...

access-list 101 deny ip host 192.168.6.104 172.16.0.0 0.0.255.255

etc...

Edit - like i say, if you could provide a layout and show us what you want to do we could be more specific.

Jon

0 Helpful

richard.brookes
Level 1
Level 1
In response to Jon Marshall

‎01-18-2010 08:10 AM

Hi Jon,

Thanks for the reply. I'm comfortable with where I need to apply the ACL, but the only thing still confusing me is how you specify a range of addresses.....

For instance if I want to apply an ACL to: 192.168.6.96 – 192.168.6.103

Thanks

Richard

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to richard.brookes

‎01-18-2010 08:16 AM 

richard.brookes@bdk.com
Hi Jon,
Thanks for the reply. I'm comfortable with where I need to apply the ACL, but the only thing still confusing me is how you specify a range of addresses.....
For instance if I want to apply an ACL to: 192.168.6.96 – 192.168.6.103 
Thanks
Richard

Richard

It really does depend on whether you can summarise. If you can't then you need to list all individual addresses as in my last post. So it's really a question of whether we can summarise 192.168.6.96 -> 103 ?

Closest you can get is ->

192.168.6.96 0.0.0.3 which gives you 192.168.6.96 -> 192.168.6.99

192.168.6.1000.0.0.3 which gives you  192.168.6.100 -> 192.168.6.103

so you could do it with the above 2 entries.

Jon

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎01-18-2010 11:10 AM

Since Richard tells us that he is new to Cisco it might be helpful to explain the mechanics of how the access list processing is done. In an access list we typically specify an address and a mask. The address part may be fairly evident but the mask is confusing to some people. In IOS devices the mask is a "wildcard" mask in which binary zero indicates bits in the address that must match and binary one indicates bits in the address that do not need to match. So in the example 192.168.6.96 0.0.0.3 the mask of 0.0.0.3 has binary one in the 2 low order bits (do not need to match) and binary zero in all other bits (must match) so this entry would match 4 addresses (192.168.6.96, 192.168.6.97, 192.168.6.98, 192.168.6.99).

HTH

Rick

HTH

Rick
0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎01-18-2010 11:46 PM

Hi Richard,

As you are new to cisco,For understanding about access list and implementation of ACL's check out the below link.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Hope that helps out your query regarding ACL,If helpful do rate the valueble post.

Regards

Ganesh.H

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card