Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACL Help

I am using Subnet 172.18.100.0 Mask 255.255.252.0. My Manager has sent me a list and ask to implement the same. pls help me what IP and mask should I use. List is as below :

1. Block DNS zone transfer access-list 101 deny tcp any any eq domain log-input

2. Allow DNS response access-list 101 permit udp any eq domain < ip address> <Subnetmask>

3. Block packets that are sourced from reserved private addresses

Block loopback packets

4. access-list 101 deny ip < ip address> <Subnetmask> any log-input

Block multicast packets

5. access-list 101 deny ip < ip address> <Subnetmask> any log-input

Block broadcast

6. -list 101 deny ip 0.0.0.0 0.255.255.255 any log-input

Pls help as per my Subnet and Mask.

Anis

2 REPLIES
Purple

Re: ACL Help

Hi Anis,

Use 172.18.100.0 and wildcard mask 0.0.3.255

Hope that helps - pls rate posts that help.

Regards,

Paresh

Re: ACL Help

Hello,

The first question would be where you apply the access-list - inbound or outbound. Because then respectively source and destination have to be swapped. The following statements should be helpful for an inbound access-list from the rest of the world to 172.18.100.0/22:

1.

access-list 101 deny tcp any any eq domain log-input

access-list 101 deny tcp any eq domain any log-input

2.

access-list 101 permit udp any eq domain 172.18.100.0 0.0.3.255

3. somewhat unclear what "Loopback" means, I assume 127/8

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

4.

access-list 101 deny ip 224.0.0.0 15.255.255.255 any

access-list 101 deny ip any 224.0.0.0 15.255.255.255

5. what is meant by "broadcast"? a router will stop broadcast anyhow.

6. as above.

Hope this helps! Please rate all posts.

Regards, Martin

219
Views
0
Helpful
2
Replies
CreatePlease to create content