Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Deny 15 IP's with ACL

I need to deny 15 IP's on my network.

I'm using the following IP addressing 10.246.32.22/22 and the IP's I need to deny are 10.246.32.230 to 10.246.32.245.

Is there any option on the ACL's to deny this range of 15 IP's or I have to deny one IP per line?

I apreciate your comments!!

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Deny 15 IP's with ACL

Hi there,

There's no option to enter a pure range.. you'll have to find bitboundaries and write your ACL.. I have done this for you here:

access-list 100 deny ip 10.246.32.230 0.0.0.1 any

access-list 100 deny ip 10.246.32.232 0.0.0.7 any

access-list 100 deny ip 10.246.32.240 0.0.0.3 any

access-list 100 deny ip 10.246.32.244 0.0.0.1 any

At least there less than 15 entries.. :)

Did it help?

6 REPLIES
Silver

Re: Deny 15 IP's with ACL

Hi there,

There's no option to enter a pure range.. you'll have to find bitboundaries and write your ACL.. I have done this for you here:

access-list 100 deny ip 10.246.32.230 0.0.0.1 any

access-list 100 deny ip 10.246.32.232 0.0.0.7 any

access-list 100 deny ip 10.246.32.240 0.0.0.3 any

access-list 100 deny ip 10.246.32.244 0.0.0.1 any

At least there less than 15 entries.. :)

Did it help?

New Member

Re: Deny 15 IP's with ACL

Thank you Johansens!!!

It' helped a lot!!!

New Member

Re: Deny 15 IP's with ACL

Sorry fellows,

what about this full-range access-list:

access-list 100 deny ip 10.246.32.230 0.0.0.15 any ?

Thank you for consideration.

hjmacholl

Purple

Re: Deny 15 IP's with ACL

Hi,

In order to match the given range using a wildcard mask of 0.0.0.15, the network address specified on the ACL has to be a multiple of 16. If you enter the ACL as you have posted above into a router, it will change it to:

access-list 100 deny ip 10.246.32.224 0.0.0.15 any

The important thing here is to use the right bit boundary when configuring ACLs. With a mask of 0.0.0.15, the last 4 bits of your network address have to be zero. When converted to binary, 230 is 11100110 whereas 224 in binary is 11100000 (the last 4 bits are zero).

Therfore, the answer to your question is that the ACl you have specified will not work.

Hope that helps... pls rate helpful posts.

Regards,

Paresh

Silver

Re: Deny 15 IP's with ACL

Hi there,

Sorry, but it won't work, because it's not on a proper bitboundary:

10.246.32.230 = 00001010.11110110.00100000.11100110

00.000.00.015 = 00000000.00000000.00000000.00001111

There should never be active bits in the "wildcard-space" when specifying a subnet.

Let's take a look at the 'offending' range:

10.246.32.230 = 00001010.11110110.00100000.11100110

10.246.32.231 = 00001010.11110110.00100000.11100111

10.246.32.232 = 00001010.11110110.00100000.11101000

10.246.32.233 = 00001010.11110110.00100000.11101001

10.246.32.234 = 00001010.11110110.00100000.11101010

10.246.32.235 = 00001010.11110110.00100000.11101011

10.246.32.236 = 00001010.11110110.00100000.11101100

10.246.32.237 = 00001010.11110110.00100000.11101101

10.246.32.238 = 00001010.11110110.00100000.11101110

10.246.32.239 = 00001010.11110110.00100000.11101111

10.246.32.240 = 00001010.11110110.00100000.11110000

10.246.32.241 = 00001010.11110110.00100000.11110001

10.246.32.242 = 00001010.11110110.00100000.11110010

10.246.32.243 = 00001010.11110110.00100000.11110011

10.246.32.244 = 00001010.11110110.00100000.11110100

10.246.32.245 = 00001010.11110110.00100000.11110101

What you need to check for is the maximum bits you can use which DOESN'T change starting from the left travelling to the right in the bitpatterns.

From the list above, you would think the following could be used:

10.246.32.224 = 00001010.11110110.00100000.11100000

Here we are mask out the bits which could vary:

00.000.00.031 = 00000000.00000000.00000000.00011111

But this encompasses more than the range you wanted to use. With thise subnet and wildcard, you'll select from .224 up to and including .255 which would clearly be too much.

Then we'll need to break the range down to smaller ranges. Let's also look at the values above and after the interesting range:

10.246.32.224 = 00001010.11110110.00100000.11100000

10.246.32.225 = 00001010.11110110.00100000.11100001

10.246.32.226 = 00001010.11110110.00100000.11100010

10.246.32.227 = 00001010.11110110.00100000.11100011

10.246.32.228 = 00001010.11110110.00100000.11100100

10.246.32.229 = 00001010.11110110.00100000.11100101

---------------------------------------------------

10.246.32.230 = 00001010.11110110.00100000.11100110

10.246.32.231 = 00001010.11110110.00100000.11100111

10.246.32.232 = 00001010.11110110.00100000.11101000

10.246.32.233 = 00001010.11110110.00100000.11101001

10.246.32.234 = 00001010.11110110.00100000.11101010

10.246.32.235 = 00001010.11110110.00100000.11101011

10.246.32.236 = 00001010.11110110.00100000.11101100

10.246.32.237 = 00001010.11110110.00100000.11101101

10.246.32.238 = 00001010.11110110.00100000.11101110

10.246.32.239 = 00001010.11110110.00100000.11101111

10.246.32.240 = 00001010.11110110.00100000.11110000

10.246.32.241 = 00001010.11110110.00100000.11110001

10.246.32.242 = 00001010.11110110.00100000.11110010

10.246.32.243 = 00001010.11110110.00100000.11110011

10.246.32.244 = 00001010.11110110.00100000.11110100

10.246.32.245 = 00001010.11110110.00100000.11110101

---------------------------------------------------

10.246.32.246 = 00001010.11110110.00100000.11110110

10.246.32.247 = 00001010.11110110.00100000.11110111

10.246.32.248 = 00001010.11110110.00100000.11111000

10.246.32.249 = 00001010.11110110.00100000.11111001

10.246.32.250 = 00001010.11110110.00100000.11111010

Now you can see where you'll have to break the patterns down:

at 1110011x, giving a wildcard of 00000001 for the first two,

at 11101xxx, giving a wildcard of 00000111 for the next eight,

at 111100xx, giving a wildcard of 00000011 for the next four,

at 1111010x, giving a wildcard of 00000001 for the last two.

So, then you have the subnets and wildcards given:

11100110 = .230, 00000001 = .1

11101000 = .232, 00000111 = .7

11110000 = .240, 00000011 = .3

11110100 = .244, 00000001 = .1

Did it help? If so, please rate it.

New Member

Re: Deny 15 IP's with ACL

Hallo johansens,

your explanation was very understandable to me.

Thank you for help!

hjmacholl

128
Views
5
Helpful
6
Replies
CreatePlease to create content