Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1381
Views
0
Helpful
3
Replies

2821 ACL for IP Range

Go to solution
zapbrandenburg
Level 1
Level 1

‎08-19-2014 02:28 PM - edited ‎03-05-2019 06:53 AM

We use an old Cisco 2821 at the internet edge for initial inbound traffic filtering.  In an attempt to block certain provider networks that are a source of SPAM, we attempted to apply an ACL that included a range of addresses as follows:

access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255

This command was shorted to the following in the running config:

access-list 110 deny   ip host 198.20.160.0 any

The ACL does not seem to work, as we are still seeing SPAM slip through on this range.

Any help is greatly appreciated.  

Thank you for your time.

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎08-19-2014 06:39 PM

Hi ,

 Your ACL syntax will deny only host 192.20.160.0 .

if you look below

access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255

You have specfied source as host (host 198.20.160.0 )

destination host as any (inalid network and subnet mask -0.0.31.255 255.255.255.255 )

You want to block which subnet or network , given me source and destination subnet ?? . Will recorrect the ACL

 

HTH

Sandy 

 

 

 

 

View solution in original post

0 Helpful

Go to solution
brianwilliams99
Level 1
Level 1

‎08-19-2014 07:02 PM

 

ACL's are in the form of :

 

access-list [###] [permit or deny] [protocol] [Source IP Network] [Source wilcard mask] [Destination IP Network] [Destination wildcard mask] [port (optional)]

 

When you use the keyword "host" that equals a wildcard mask 0.0.0.0 and then you do not need to put in the wilcard mask, just the host IP.

 

In your example, access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255, you was telling the router that you wanted to deny packets from a source single IP of 198.20.160.0 with a wildcard mask of 0.0.0.0 and a destination of 0.0.31.255 255.255.255.255 which is an invalid IP and mask.

Hope this helps.

 

You can read this article to help more - Here

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎08-19-2014 06:39 PM

Hi ,

 Your ACL syntax will deny only host 192.20.160.0 .

if you look below

access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255

You have specfied source as host (host 198.20.160.0 )

destination host as any (inalid network and subnet mask -0.0.31.255 255.255.255.255 )

You want to block which subnet or network , given me source and destination subnet ?? . Will recorrect the ACL

 

HTH

Sandy 

 

 

 

 

0 Helpful

Go to solution
brianwilliams99
Level 1
Level 1

‎08-19-2014 07:02 PM

 

ACL's are in the form of :

 

access-list [###] [permit or deny] [protocol] [Source IP Network] [Source wilcard mask] [Destination IP Network] [Destination wildcard mask] [port (optional)]

 

When you use the keyword "host" that equals a wildcard mask 0.0.0.0 and then you do not need to put in the wilcard mask, just the host IP.

 

In your example, access-list 110 deny   ip host 198.20.160.0 0.0.31.255 255.255.255.255, you was telling the router that you wanted to deny packets from a source single IP of 198.20.160.0 with a wildcard mask of 0.0.0.0 and a destination of 0.0.31.255 255.255.255.255 which is an invalid IP and mask.

Hope this helps.

 

You can read this article to help more - Here

 

0 Helpful

Go to solution
zapbrandenburg
Level 1
Level 1
In response to brianwilliams99

‎08-20-2014 06:37 AM

Thanks a ton. Copied an existing ACL and somehow totally missed the "host" keyword. That got it fixed right up.

 access-list 110 deny ip 198.20.160.0 0.0.31.255 any

 

0 Helpful
Top