Setting up an extended ACL?

Discussion in 'Routing & Switching' started by flopstocks, Jul 26, 2007.

  1. flopstocks

    flopstocks Nibble Poster

    53
    0
    19
    Trying to get my head around this, but it's a nightmare!

    I have a network, and need to restrict aceess from another network. The ip of the network to restrict access from is 192.168.2.0. My task is to deny all acess apart from the terminals in the lower half of the address range (2-127). So any address from 192.168.2 - 192.168.2.127 is allowed, everyting else should be denied.

    Looking at this logically any thing with a 1 in the first bit in the last octet should be denied.

    So do I use the ACL

    deny 192.168.2.128 0.0.0.128 (to deny the range out side 2-127)
    permit any to (allow the 2-127 in)

    Thanks in advance!
     
    Certifications: A+, Network+, CCNA, BSc(Hons) Open
  2. MacAllan

    MacAllan Byte Poster

    249
    6
    30
    deny 192.168.2.128 0.0.0.128

    First, the 128 at the end of the IP address is for the subnet where addresses are greater than 128, you're trying to block the lower half. That is, if there is a 0 in the first position in that final octet, it must be denied, if it is a 1, accepted.

    The wildcard mask needs to have 1's in every position 'except' that of the first in the final octet 01111111 = 127
    A quick way of doing it is to subtract it from 255:
    255-128 = 127

    so, you are denying 192.168.2.0 0.0.0.127

    Secondly, the permit, - you need
    permit ip any any

    You can have 'any' because you have already denied those more specific - ACLs are read in sequence, not as a cumulative whole, so the first one that 'fits' is applied.

    Your next challenge, Jim, if you choose to accept it is, to work out how to allow telnet access. This requires you to use an 'extended' access list, where you can specify the tcp port.

    Have a look at this.

    This computer will self-destruct in 5 seconds . . . . :blowingup
     
    Certifications: A+, N+, CCNA
    WIP: CCNP, Linux+
  3. MacAllan

    MacAllan Byte Poster

    249
    6
    30
    OOOPPPSSS!!!!

    Misread your post: you are 'denying everything except the first subnet 192.168.2.0 - 127', and only allowing that telnet access?

    access list 101 permit tcp 192.168.2.0 0.0.0.127 eq telnet


    And that is it. Everything else is denied by default. Read the other link, though, so you know why.

    Dang, really should learn to read properly....... :oops:
     
    Certifications: A+, N+, CCNA
    WIP: CCNP, Linux+
  4. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    flopstocks,

    Let's take this step by step.

    1. What is the network address?
    2. What is the default mask?
    3. What is the range of IP address values for hosts?
    4. What is the broadcast IP address?
    5. What is the range of IP addresses to be denied?
    6. What would the subnet mask for that range of IP addresses to be denied be?
    7. Given the subnet mask for the range of IP addresses to be denied, what would the wildcard mask be?

    I hope this helps.
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.