leblanc
asked on
ACl on a range of IP addresses
I want to include only a range of IP address 10.10.0.101 to 10.10.0.254 to my ACL. Is there a tutorial on how to do this? Thanks
You forgot the mentions which router you are configuring right now.
ASKER
Sorry. I am using a Cisco Catalyst 6509 switch
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How did you come up with the wild card? Are there some bits patterns you need to play around with? Thx
Because Cisco's ACL are based on subnet and not on strings (like simpler routers, you fill in start and end), you have to play around with the subnet mask, which are bound to rules.
Therefore, you either know the rules from the top of your head, or you use a subnet calculator (available as an online page)
Therefore, you either know the rules from the top of your head, or you use a subnet calculator (available as an online page)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can you remind me how you come up with the wildcard mask in 10.10.10.96 0.0.0.7? Thx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the explanation. The problem that I am having now is what if I have hosts in the range between 97 and 102, They will not be allowed (see below). I am planning to apply this ACL on the WAN interface.
access-list 101 deny 10.10.10.96 0.0.0.7 // deny 96 - 103
access-list 101 permit 10.10.10.96 0.0.0.31 // permit 96 - 127 but previous statement blocks some
access-list 101 deny 10.10.10.96 0.0.0.7 // deny 96 - 103
access-list 101 permit 10.10.10.96 0.0.0.31 // permit 96 - 127 but previous statement blocks some
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hosts in the range between 97 and 102and also there was no problem for hosts in this range, but for 6 IP addresses 96 - 100
:)
ACL is executed from top to bottom, so first 101 - 103 were permitted, and then that part of the range is denied, it will actually never check third statement if any of first two statements had match.
If two statements are overlapping - if there is match in first statement, second statement won't be reached. When first match is found - it is the game over. If there is no matching state in ACL - at the end of acl is implicit deny any statement. So 96 -100 are denied anyway in both cases and both ACLs have exactly the same result.
ASKER
I am a bit confused about the wildcard mask because I see ACL with subnet mask (see below). So isn't it easier to use subnet mask? Can I use subnet mask instead of wildcard mask?
access-list MY-ACL permit ip 10.10.0.0 255.255.255.0 10.10.6.0 255.255.255.0
access-list MY-ACL permit ip 10.10.0.0 255.255.255.0 10.10.6.0 255.255.255.0
That's just the way Cisco is duing that.
You can try but - 255 in this case means any address, and 0 means exactly this address.
Statement that you wrote translated to some form of English language :)
permit any ip address that ends with 0 if is forwarded to any ip address that ends with 0
You can try but - 255 in this case means any address, and 0 means exactly this address.
Statement that you wrote translated to some form of English language :)
permit any ip address that ends with 0 if is forwarded to any ip address that ends with 0