Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
883
Views
4
Helpful
2
Replies

Need Help for ACL - complicated

utawakevou
Level 4
Level 4

‎12-27-2004 05:31 PM - edited ‎02-20-2020 09:26 PM

Im running a test lab where we have 4 subnets. Subnet 1 (10.1.1.0/24) is where, my servers will be located, subnet 2 (10.1.2.0/24) is where my Netreg servers will be located and subnet 3(10.1.3.0/24) & 4(10.1.4.0/24) are examples of my clients.

What we want is this. For e.g a PC from subnet 3 (10.1.3.0/24) is connected to the network, their DHCP request is sent to subnet 2 (10.1.2.0/24) where it will get an IP from these range - 10.1.3.224-254 within that /24. However, when the PC get any of the IP from this range it should communicate ONLY with subnet 2 (10.1.2.0/24) and not any other subnets (1 or 4). Then it will have to be registered then the server will then issue an IP from this range 10.1.3.50-223. Once the PC got the IP from this range (50-223) then It can comminicate to the rest of the subnets (1 and 4). This will have to be the same case with subnet 4 as they are regarded as our clients for this scenario.

Hope someone helps

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎12-28-2004 08:47 PM

Inbound on the Subnet3 interface apply the following:

interface x

  description Subnet 3 interface

  ip address 10.1.3.x 255.255.255.0

  ip access-group 100 in

access-list 100 permit ip 10.1.3.224 0.0.0.31 10.1.2.0 0.0.0.255

access-list 100 permit ip 10.1.3.50 0.0.0.1 any

access-list 100 permit ip 10.1.3.52 0.0.0.3 any

access-list 100 permit ip 10.1.3.56 0.0.0.7 any

access-list 100 permit ip 10.1.3.64 0.0.0.63 any

access-list 100 permit ip 10.1.3.128 0.0.0.63 any

access-list 100 permit ip 10.1.3.192 0.0.0.31 any

You can't subnet the hosts 50-223 nicely which is why you need so many access-list entries to get all of them. If you just use 64-224 then you can get them all with just the bottom three ACL lines above, might be easir to read or you.

The first line above allows only the 224-254 hosts to get to the 10.1.2.0 subnet as you specified.

utawakevou
Level 4
Level 4
In response to gfullage

‎12-29-2004 12:48 PM

Thanks for your reply. I was thinking of just running a standard one like this:

access-list 99 deny 10.1.0.224 0.0.0.31 any

access-list 99 permit any

and apply it on the inward bound interface for subnet 1,3 & 4

What do you think

0 Helpful
Customers Also Viewed These Support Documents