Solved: Re: ACL Configuration Question

slytell · ‎11-21-2003

In an attempt to configure an ACL on a 2600 series router running 12.0 IOS, I configured the following ACL:

access-list 101 permit ip any 10.101.67.0 0.0.0.63

access-list 102 permit ip any 10.101.67.192 0.0.0.255

I'm using a subnet mask of 255.255.255.192 which should give me four subnets as follows:

Network ID Range Broadcast

10.101.67.0 10.101.67.1 - 10.101.67.62 10.101.67.63

10.101.67.64 10.101.67.65 - 10.101.67.126 10.101.67.127

10.101.67.128 10.101.67.129 - 10.101.67.190 10.101.67.191

10.101.67.192 10.101.67.193 - 10.101.67.254 10.101.67.255

When I do a show run, it displays:

access-list 101 permit ip any 10.101.67.0 0.0.0.63

access-list 102 permit ip any 10.101.67.0 0.0.0.255

Note that for ACL 102, the destination address is the same as for 101, even though I specified a fourth octet of 192.

My interpretation of the ACL is that all host on the 10.101.67.0 network will be permitted via ACL 101 and all host on network 10.101.67.192 will be permitted as well. All other host on the other two networks will be denied.

My question...is there a way to specify only the addresses (range) for a particular (10.101.67.192) network, without listing all the individual host?

Thank you in advance for any and all responses!

Steve

vaughan.lee · ‎11-21-2003

Hi Steve,

The problem you've encountered with access-list 102 is the mask you are using. By using the 0.0.0.255 mask, you are telling the router to ignore the last byte of the address (the router sets all of the 'ignore' bits to zero in the access-list, so giving you the address of 10.101.67.0). If you want to match subnet 10.101.67.192 /26, you should again be using the 0.0.0.63 mask. This tells the router to precisely match against all of the IP address with the exception of the last 6 bits, so covering from 192 (192 + 0) to 255 (192 + 63).

Remember also that each interface can only have one inbound and one outbound access-list per protocol. If you wanted access-list 101 to match against the first and last subnets, you would configure it as:

access-list 101 permit ip any 10.101.67.0 0.0.0.63

access-list 101 permit ip any 10.101.67.192 0.0.0.63

View solution in original post

vaughan.lee · ‎11-21-2003

Hi Steve,

The problem you've encountered with access-list 102 is the mask you are using. By using the 0.0.0.255 mask, you are telling the router to ignore the last byte of the address (the router sets all of the 'ignore' bits to zero in the access-list, so giving you the address of 10.101.67.0). If you want to match subnet 10.101.67.192 /26, you should again be using the 0.0.0.63 mask. This tells the router to precisely match against all of the IP address with the exception of the last 6 bits, so covering from 192 (192 + 0) to 255 (192 + 63).

Remember also that each interface can only have one inbound and one outbound access-list per protocol. If you wanted access-list 101 to match against the first and last subnets, you would configure it as:

access-list 101 permit ip any 10.101.67.0 0.0.0.63

access-list 101 permit ip any 10.101.67.192 0.0.0.63

slytell · ‎11-21-2003

Thank you for your response! I had the right idea but used the wrong numbers.

Have a great day and smile! :-))

Steve

dathaide · ‎11-21-2003

All hosts from 10.101.67.0 to 10.101.67.63 will be permitted via accesslist 101

All the host in 10.101.67.0 will be permitted via accesslist 102

You can specific ranges on the 10.101.67.192 0.0.0.63

I hope this is what you were looking for. Let me know if i misunderstood the question

thanks