Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4432
Views
15
Helpful
9
Replies

Routing

Go to solution
mnijhum
Level 1
Level 1

‎07-27-2019 03:18 PM - edited ‎07-27-2019 03:30 PM

Hello, 

I have a subnet of 1024 hosts. I have to categorize these hosts like 512+512. The first 512 host for a particular area and the other for another area. Moreover, the first 512 host can only access to a particular network and the 2nd 512 host can not. How can I permit only those 512 hosts using ACL? Basically my question is how to permit a range of IP's? My subnet is 10.0.0.0/21. I need to allow the first 512 host and deny latter 512 hosts

Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to mnijhum

‎07-27-2019 05:00 PM

Depends on what direction of your nework you like to implement this.

 

Suggest to read this document ge familiar with ACL.

 

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
luis_cordova
VIP Alumni
VIP Alumni
In response to mnijhum

‎07-27-2019 06:21 PM

Hi @mnijhum ,

 

Just to clarify, if you need to allow only the first 512 host, this ACL can help you:

 

access-list 1 permit 10.0.0.0 0.0.1.255

 

This ACL will allow the first 512 hosts and all others will be denied, because at the end of every ACL there is an implicit denial.

 

As a detail to consider:

Your network with mask /21 has 2048 host in total, so we can divide it into 4 blocks of 512 each. These would be the 4 imaginary blocks:

1º network = 10.0.0.0 wildcard = 0.0.1.255 (mask /23)

2º network = 10.0.2.0 wildcard = 0.0.1.255 (mask /23)

3º network = 10.0.4.0 wildcard = 0.0.1.255 (mask /23)

4º network = 10.0.6.0 wildcard = 0.0.1.255 (mask /23)

 

Now, having clarity of these 4 blocks, you can use an ACL to allow or deny anyone, using these parameters (red / wildcard)

 

Regards

 

 

View solution in original post

9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-27-2019 03:23 PM

here is the example :

 

you need to use 10.0.0.0/23 ( 255.255.254.0) for first 512 IP range

next one 10.0.2.0/23 for other 512, so make ACL based on mask.

 

if you want to be more specific, post your  IP range to suggest better.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
mnijhum
Level 1
Level 1
In response to balaji.bandi

‎07-27-2019 03:27 PM - edited ‎07-27-2019 03:29 PM

My subnet is 10.0.0.0/21. I need to allow the first 512 host and deny latter 512 hosts

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to mnijhum

‎07-27-2019 03:32 PM

You need to more specific, if you are using same subnet, my example for subnet works.

 

what you want to deny ? you like to Allow, need more clarity here.

 

it would be nice if you can provide example what is your Goal ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
mnijhum
Level 1
Level 1
In response to balaji.bandi

‎07-27-2019 03:34 PM

Yes your example for subnet works. but my question is how to allow the first 512 host of this network? I can not do further subnetting of this network.
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to mnijhum

‎07-27-2019 03:36 PM

it would be nice if you can provide example what is your Goal ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
mnijhum
Level 1
Level 1
In response to balaji.bandi

‎07-27-2019 03:38 PM - edited ‎07-27-2019 03:45 PM

Here is the problem I am working on. 

 

The Stormlands only allow castles of other kingdoms to access their network. Packets from any other place/network is automatically denied.  

 

In Westeros, there are seven kingdoms as follows along with their population size and other characteristics of each kingdom:

  1. The North – Population size: 200
    1. The North, being the kingdom on the border, connects to the Internet (Outside the wall). Consequently, all the other kingdoms communicate with the outside world via the North kingdom.
    2. Has enough budget to buy 2 real IPs only.

 

  1. The Mountain and The Vale – Population size 80
    1. The Vale has a restaurant called ‘A Restaurant has No Name’ and uses 10 of the IPs of the Vale.

 

  1. The Rock – Population size 1024
    1. The first 512 IPs are given to the people who live in the castle
    2. The latter 512 IPS are given to the people who live outside the castle
  2. The Stormlands – Population size 250
  3. The Reach
    1. Castles under The Reach
      1. Old Oak - Population size: 10
      2. Grassy Vale - Population size: 50
    2. Other villages - Population size: 10

 

Outside the wall:

  • Assume that this is the outside network for the seven kingdoms that they use to connect to the internet.
  • Has a single web server (browseable)

Overall Specifications:

  • Use Routers and Switches where appropriate.
  • You may need to apply VLSM more than once
  • The Stormlands only allow castles of other kingdoms to access their network. Packets from any other place/network is automatically denied. 
  • Install at least 2 PC/Laptop for each individual network.
  • Have at least one backup route for two cities
  • Use summarization if needed anywhere
  • Use at least one network with static routing, and for others use RIPv2.
  • You may use at max two PCs to represent all the hosts of a network (no need to put in 32 PCs if it says there are 32 people in the area.
0 Helpful

Go to solution
mnijhum
Level 1
Level 1
In response to balaji.bandi

‎07-27-2019 03:42 PM

Now, how can I allow The Rock's first 512 hosts to access stormland?
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to mnijhum

‎07-27-2019 05:00 PM

Depends on what direction of your nework you like to implement this.

 

Suggest to read this document ge familiar with ACL.

 

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
luis_cordova
VIP Alumni
VIP Alumni
In response to mnijhum

‎07-27-2019 06:21 PM

Hi @mnijhum ,

 

Just to clarify, if you need to allow only the first 512 host, this ACL can help you:

 

access-list 1 permit 10.0.0.0 0.0.1.255

 

This ACL will allow the first 512 hosts and all others will be denied, because at the end of every ACL there is an implicit denial.

 

As a detail to consider:

Your network with mask /21 has 2048 host in total, so we can divide it into 4 blocks of 512 each. These would be the 4 imaginary blocks:

1º network = 10.0.0.0 wildcard = 0.0.1.255 (mask /23)

2º network = 10.0.2.0 wildcard = 0.0.1.255 (mask /23)

3º network = 10.0.4.0 wildcard = 0.0.1.255 (mask /23)

4º network = 10.0.6.0 wildcard = 0.0.1.255 (mask /23)

 

Now, having clarity of these 4 blocks, you can use an ACL to allow or deny anyone, using these parameters (red / wildcard)

 

Regards

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents