Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
3
Helpful
1
Replies

Config access-list

douglashui
Level 1
Level 1

‎02-24-2006 06:45 PM - edited ‎02-20-2020 09:36 PM

Dear All,

I would like to deny below IP, how to set the acl to a minimum.

10.1.1.11 - 13

10.2.1.11 - 13

10.3.1.11 - 13

Thanks.

C.K.

Labels:
0 Helpful
1 Reply 1

jackko
Level 7
Level 7

‎02-24-2006 08:17 PM

well, these addresses can't be grouped into a "supernet", so the minimum number of acl is 9. in fact, 9 is not a huge number.

nonetheless, you may create an object group for these addresses.

e.g.

object-group network test

network-object host 10.1.1.11

network-object host 10.1.1.12

network-object host 10.1.1.13

network-object host 10.2.1.11

network-object host 10.2.1.12

network-object host 10.2.1.13

network-object host 10.3.1.11

network-object host 10.3.1.12

network-object host 10.3.1.13

access-list 101 deny ip object-group test any

access-list 101 permit ip any any

the advantage is that if a change needs to be made in the near future. e.g. a month later, another ip needs to be added to the list. then all you need to do is to add the ip onto the existing group and leave the acl untouch.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents