Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Config access-list

Dear All,

I would like to deny below IP, how to set the acl to a minimum.

10.1.1.11 - 13

10.2.1.11 - 13

10.3.1.11 - 13

Thanks.

C.K.

1 REPLY
Gold

Re: Config access-list

well, these addresses can't be grouped into a "supernet", so the minimum number of acl is 9. in fact, 9 is not a huge number.

nonetheless, you may create an object group for these addresses.

e.g.

object-group network test

network-object host 10.1.1.11

network-object host 10.1.1.12

network-object host 10.1.1.13

network-object host 10.2.1.11

network-object host 10.2.1.12

network-object host 10.2.1.13

network-object host 10.3.1.11

network-object host 10.3.1.12

network-object host 10.3.1.13

access-list 101 deny ip object-group test any

access-list 101 permit ip any any

the advantage is that if a change needs to be made in the near future. e.g. a month later, another ip needs to be added to the list. then all you need to do is to add the ip onto the existing group and leave the acl untouch.

226
Views
3
Helpful
1
Replies
CreatePlease to create content