1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Setting up an extended ACL?

Discussion in 'Routing & Switching' started by flopstocks, Jul 26, 2007.

  1. flopstocks

    flopstocks Nibble Poster

    Trying to get my head around this, but it's a nightmare!

    I have a network, and need to restrict aceess from another network. The ip of the network to restrict access from is My task is to deny all acess apart from the terminals in the lower half of the address range (2-127). So any address from 192.168.2 - is allowed, everyting else should be denied.

    Looking at this logically any thing with a 1 in the first bit in the last octet should be denied.

    So do I use the ACL

    deny (to deny the range out side 2-127)
    permit any to (allow the 2-127 in)

    Thanks in advance!
    Certifications: A+, Network+, CCNA, BSc(Hons) Open
  2. MacAllan

    MacAllan Byte Poster


    First, the 128 at the end of the IP address is for the subnet where addresses are greater than 128, you're trying to block the lower half. That is, if there is a 0 in the first position in that final octet, it must be denied, if it is a 1, accepted.

    The wildcard mask needs to have 1's in every position 'except' that of the first in the final octet 01111111 = 127
    A quick way of doing it is to subtract it from 255:
    255-128 = 127

    so, you are denying

    Secondly, the permit, - you need
    permit ip any any

    You can have 'any' because you have already denied those more specific - ACLs are read in sequence, not as a cumulative whole, so the first one that 'fits' is applied.

    Your next challenge, Jim, if you choose to accept it is, to work out how to allow telnet access. This requires you to use an 'extended' access list, where you can specify the tcp port.

    Have a look at this.

    This computer will self-destruct in 5 seconds . . . . :blowingup
    Certifications: A+, N+, CCNA
    WIP: CCNP, Linux+
  3. MacAllan

    MacAllan Byte Poster


    Misread your post: you are 'denying everything except the first subnet - 127', and only allowing that telnet access?

    access list 101 permit tcp eq telnet

    And that is it. Everything else is denied by default. Read the other link, though, so you know why.

    Dang, really should learn to read properly....... :oops:
    Certifications: A+, N+, CCNA
    WIP: CCNP, Linux+
  4. r.h.lee

    r.h.lee Gigabyte Poster


    Let's take this step by step.

    1. What is the network address?
    2. What is the default mask?
    3. What is the range of IP address values for hosts?
    4. What is the broadcast IP address?
    5. What is the range of IP addresses to be denied?
    6. What would the subnet mask for that range of IP addresses to be denied be?
    7. Given the subnet mask for the range of IP addresses to be denied, what would the wildcard mask be?

    I hope this helps.
    Certifications: MCSE, MCP+I, MCP, CCNA, A+

Share This Page