cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
896
Views
0
Helpful
3
Replies

2821 ACL for IP Range

zapbrandenburg
Level 1
Level 1

We use an old Cisco 2821 at the internet edge for initial inbound traffic filtering.  In an attempt to block certain provider networks that are a source of SPAM, we attempted to apply an ACL that included a range of addresses as follows:

access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255

This command was shorted to the following in the running config:

access-list 110 deny   ip host 198.20.160.0 any

The ACL does not seem to work, as we are still seeing SPAM slip through on this range.

Any help is greatly appreciated.  

Thank you for your time.

 

2 Accepted Solutions

Accepted Solutions

Hi ,

 Your ACL syntax will deny only host 192.20.160.0 .

if you look below

access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255

You have specfied source as host (host 198.20.160.0 )

destination host as any (inalid network and subnet mask -0.0.31.255 255.255.255.255 )

You want to block which subnet or network , given me source and destination subnet ?? . Will recorrect the ACL

 

HTH

Sandy 

 

 

 

 

View solution in original post

brianwilliams99
Level 1
Level 1

 

ACL's are in the form of :

 

access-list [###] [permit or deny] [protocol] [Source IP Network] [Source wilcard mask] [Destination IP Network] [Destination wildcard mask] [port (optional)]

 

When you use the keyword "host" that equals a wildcard mask 0.0.0.0 and then you do not need to put in the wilcard mask, just the host IP.

 

In your example, access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255, you was telling the router that you wanted to deny packets from a source single IP of 198.20.160.0 with a wildcard mask of 0.0.0.0 and a destination of 0.0.31.255 255.255.255.255 which is an invalid IP and mask.

Hope this helps.

 

You can read this article to help more - Here

 

View solution in original post

3 Replies 3

Hi ,

 Your ACL syntax will deny only host 192.20.160.0 .

if you look below

access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255

You have specfied source as host (host 198.20.160.0 )

destination host as any (inalid network and subnet mask -0.0.31.255 255.255.255.255 )

You want to block which subnet or network , given me source and destination subnet ?? . Will recorrect the ACL

 

HTH

Sandy 

 

 

 

 

brianwilliams99
Level 1
Level 1

 

ACL's are in the form of :

 

access-list [###] [permit or deny] [protocol] [Source IP Network] [Source wilcard mask] [Destination IP Network] [Destination wildcard mask] [port (optional)]

 

When you use the keyword "host" that equals a wildcard mask 0.0.0.0 and then you do not need to put in the wilcard mask, just the host IP.

 

In your example, access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255, you was telling the router that you wanted to deny packets from a source single IP of 198.20.160.0 with a wildcard mask of 0.0.0.0 and a destination of 0.0.31.255 255.255.255.255 which is an invalid IP and mask.

Hope this helps.

 

You can read this article to help more - Here

 

Thanks a ton. Copied an existing ACL and somehow totally missed the "host" keyword. That got it fixed right up.

 access-list 110 deny ip 198.20.160.0 0.0.31.255 any

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco