Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access List question

Hi all,

I am in need of blocking the use of an entire class C that belongs to us, whith the execption of one IP address. I would like to do this on the FA0/0 interface. I have a few questions on this matter:

I came up with this access list:

access-list 100 permit IP any host 207.155.140.32

access-list 100 deny IP 207.155.140.0 0.0.0.255 any

!) Would this be correct if I only want one IP be able to operate, while the rest of the class C is blocked?

2) The FA0/0 port also has a secondary address of 207.155.140.1. Would this need to be included in the access list as a premitted address or is this not neccesary?

3) I am going to make this an outbound access list. Is this the correct thinking?

thanks for any help or tips!

Darrel

9 REPLIES
Hall of Fame Super Silver

Re: Access List question

Darrel

You are on the right track that you need to permit the single address and then deny the other addresses. Your access list is inconsistent about whether the address is the source address or the destination address. In the first line:

access-list 100 permit IP any host 207.155.140.32

the host address is being treated as the destination address. But in the second line:

access-list 100 deny IP 207.155.140.0 0.0.0.255 any

the address is treated as the source address. Whether it should be source address or destination address depends on whether you are applying the acceess list as inbound or outbound.

If the interface is configured with a secondary address then the addresses in the secondary address range must be specified in the access list.

HTH

Rick

Re: Access List question

I assume you are going to apply in fa0/0 outbound.

then you may need to change the second line as below.

access-list 100 permit IP any host 207.155.140.32

access-list 100 deny IP any 207.155.140.0 0.0.0.255

if you have any other traffic to be allowed in addition to blocking this traffic add

access-list 100 permit ip any any at the end of the access-list statements.

New Member

Re: Access List question

Hi guys,

thanks for your answers!

Yes, I was going to apply this "outbound" on FA0/0. And yes, we have other IP spaces that still need to be routed, and not blocked, you are correct.

To review, I understand the config to be like this:

access-list 100 permit IP any host 207.155.140.1(secondary on FA0/0 Int.)

access-list 100 permit IP any host 207.155.140.32

access-list 100 deny IP any 207.155.140.0 0.0.0.255

access-list 100 permit ip any any

Would you agree with this?

Darrel

Hall of Fame Super Silver

Re: Access List question

Darrel

I am very puzzled about a couple of things. The first line indicates that 207.155.140.1 is the secondary address. But all of the access list statements are about 207.155.140.x which would seem to indicate that it was the primary address subnet. Perhaps you can clarify? Posting the configuration of the interface would be helpful.

I do not see any need for this line:

access-list 100 permit IP any host 207.155.140.1

assuming that it is the secondary address, since this access would be covered by the permit ip any any in the last statement. Also if the access list is applied outbound and this is a permit for the IP address of the interface there will never be any outbound traffic on the interface with destination address of the interface.

I also question the use of the access list outbound. If we had a clearer understanding of your environment and of your requirements we could probably give better advice. I am assuming that subnet 207.155.140.x is the subnet of addresses on interface fastethernet0/0. If so then applying the access list outbound would allow traffic from hosts in this subnet to be sent to the router, to be forwarded to the destination address, and when the response came back the response would be denied instead of being sent to the end station. While this does achieve your stated goal of denying access for that subnet, it is a very inefficient solution. I think it would be better if the access list were applied inbound. In this case any traffic from those hosts arriving at the interface would be denied and no further network resources would be used.

HTH

Rick

New Member

Re: Access List question

Rick,

With regards to this line

access-list 100 permit ip any host 207.155.140.1 would be covered by the 'ip any any' statement .... How would this work ?

Reason being is that since the ACL is executed when a match is found, it will be denied on the 3rd line before getting to the 'ip any any' statement.

access-list 100 permit IP any host 207.155.140.1(secondary on FA0/0 Int.)

access-list 100 permit IP any host 207.155.140.32

access-list 100 deny IP any 207.155.140.0 0.0.0.255

access-list 100 permit ip any any

Is my understanding of the logic correct ?

- Sanjay -

Hall of Fame Super Silver

Re: Access List question

Sanjay

Your understanding of the logic is correct looking very literally at what was posted. The key in my response is this:

"assuming that it is the secondary address", since this access would be covered by the permit ip any any in the last statement.

I added quote marks for emphasis. If the first line had been the secondary address then the first line would not have been needed. Obviously the secondary address should be in a different subnet than the primary address.

I can also justify my statement that the first line is not needed on the basis that the host address is the address of the router interface. Since he was proposing the access list as an outbound filter there is no need for a permit statement for the router's own interface address in an outbound access list.

But your point is correct that the address given in the first line would not be permitted by the permit ip any any in the last line because that particular address would be denied in the deny ip any 207.155.140.0 0.0.0.255. Perhaps I should have been more explicit about that.

So I believe that my statement that the first line is not needed is correct. But the reason that I gave for why it is not needed was not correct. Thanks for catching that. This review of each other's posting is what makes the forum such an effective tool.

HTH

Rick

New Member

Re: Access List question

Rick,

I get the point that you are tring to get across. I guess the original question posted was not too clear and the secondary address should be in a different IP subnet as what you mentioned in a production network and makes more sense to apply the ACL on the inbound of the interface.

Thank you sir,

- sn -

New Member

Re: Access List question

Now I am getting confused ! :D

My basic need is to block a class C, whith the exception of one IP address. I want to do this on the Ethernet Interface, outbound. I do route other IP address spaces in addition to this one.

I think this should be correct:

access-list 100 permit IP any host 207.155.140.32

access-list 100 deny IP any 207.155.140.0 0.0.0.255

access-list 100 permit ip any any

What do you guys think?

Darrel

New Member

Re: Access List question

Darrel,

Your ACL will will work. It will achieve what you want to achieve.

- Sanjay -

109
Views
12
Helpful
9
Replies
CreatePlease login to create content