cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
450
Views
0
Helpful
3
Replies

Confirmation on basic ACL extended-list

news2010a
Level 3
Level 3

Hi, just wanted to confirm:

If I need to let only two IP addresses (1.1.1.1 and 1.1.1.2) connect to server 192.168.206.5, I should bring line 40-70 to the top of the access-list below, correct?

!

ip access-list extended LETTWOPEOPLECONNECT

10 permit icmp any any

20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5

40 permit ip any host 1.1.1.1

50 permit ip any host 1.1.1.2

60 permit ip host 1.1.1.1 any

70 permit ip host 1.1.1.2 any

80 permit ip any any

!

1 Accepted Solution

Accepted Solutions

Edison Ortiz
Hall of Fame
Hall of Fame

We don't know the direction of this ACL (in|out).

Knowing the direction will help saving some entries such as:

20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5

can be just one entry

20 deny ip host 192.168.206.5 any

or

30 deny ip any host 192.168.206.5

But to answer your question, yes moving 40-70 before the deny 20-30 will let those hosts connect to server 192.168.206.5 but you can streamline the ACL with less ACEs.

__

Edison.

View solution in original post

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Marlon

Yes you would need to move the entries above line 20. Actually you could just write 2 more specific entries ie.

11 permit ip host 1.1.1.1 host 192.168.206.5

12 permit ip host 1.1.1.2 host 192.168.206.5

You could make them even more specific by using only the relevant ports (TCP/UDP) that 1.1.1.1/2 need to connect to on server 192.168.206.5

I'm assuming this acl is applied inbound on the relevant interface.

Jon

Edison Ortiz
Hall of Fame
Hall of Fame

We don't know the direction of this ACL (in|out).

Knowing the direction will help saving some entries such as:

20 deny ip host 192.168.206.5 any

30 deny ip any host 192.168.206.5

can be just one entry

20 deny ip host 192.168.206.5 any

or

30 deny ip any host 192.168.206.5

But to answer your question, yes moving 40-70 before the deny 20-30 will let those hosts connect to server 192.168.206.5 but you can streamline the ACL with less ACEs.

__

Edison.

Thanks!!! You guys rule.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: