Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2821 ACL for IP Range

We use an old Cisco 2821 at the internet edge for initial inbound traffic filtering.  In an attempt to block certain provider networks that are a source of SPAM, we attempted to apply an ACL that included a range of addresses as follows:

access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255

This command was shorted to the following in the running config:

access-list 110 deny   ip host 198.20.160.0 any

The ACL does not seem to work, as we are still seeing SPAM slip through on this range.

Any help is greatly appreciated.  

Thank you for your time.

 

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Hi , Your ACL syntax will

Hi ,

 Your ACL syntax will deny only host 192.20.160.0 .

if you look below

access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255

You have specfied source as host (host 198.20.160.0 )

destination host as any (inalid network and subnet mask -0.0.31.255 255.255.255.255 )

You want to block which subnet or network , given me source and destination subnet ?? . Will recorrect the ACL

 

HTH

Sandy 

 

 

 

 

New Member

 ACL's are in the form of :

 

ACL's are in the form of :

 

access-list [###] [permit or deny] [protocol] [Source IP Network] [Source wilcard mask] [Destination IP Network] [Destination wildcard mask] [port (optional)]

 

When you use the keyword "host" that equals a wildcard mask 0.0.0.0 and then you do not need to put in the wilcard mask, just the host IP.

 

In your example, access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255, you was telling the router that you wanted to deny packets from a source single IP of 198.20.160.0 with a wildcard mask of 0.0.0.0 and a destination of 0.0.31.255 255.255.255.255 which is an invalid IP and mask.

Hope this helps.

 

You can read this article to help more - Here

 

3 REPLIES

Hi , Your ACL syntax will

Hi ,

 Your ACL syntax will deny only host 192.20.160.0 .

if you look below

access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255

You have specfied source as host (host 198.20.160.0 )

destination host as any (inalid network and subnet mask -0.0.31.255 255.255.255.255 )

You want to block which subnet or network , given me source and destination subnet ?? . Will recorrect the ACL

 

HTH

Sandy 

 

 

 

 

New Member

 ACL's are in the form of :

 

ACL's are in the form of :

 

access-list [###] [permit or deny] [protocol] [Source IP Network] [Source wilcard mask] [Destination IP Network] [Destination wildcard mask] [port (optional)]

 

When you use the keyword "host" that equals a wildcard mask 0.0.0.0 and then you do not need to put in the wilcard mask, just the host IP.

 

In your example, access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255, you was telling the router that you wanted to deny packets from a source single IP of 198.20.160.0 with a wildcard mask of 0.0.0.0 and a destination of 0.0.31.255 255.255.255.255 which is an invalid IP and mask.

Hope this helps.

 

You can read this article to help more - Here

 

New Member

Thanks a ton. Copied an

Thanks a ton. Copied an existing ACL and somehow totally missed the "host" keyword. That got it fixed right up.

 access-list 110 deny ip 198.20.160.0 0.0.31.255 any

 

149
Views
0
Helpful
3
Replies
CreatePlease login to create content