Re: Access-List Deny IP Range

tim.smith · ‎06-10-2019

I need to temporarily block two IP subnets at a remote site from reaching across the WAN, but they need to talk to each other in the meantime. These subnets exist on my 4451 at Gi0/0/1.70 (10.63.70.0/24) and Gi0/0/1.71 (10.63.71.0/24), and they need to be blocked from reaching out across Gi0/0/0 (WAN interface).

Could someone show me a simple ACL to apply and where to apply it?

Thanks.

Georg Pauwen · ‎06-10-2019

Hello,

the below should be sufficient:

access-list 101 deny ip 10.63.70.0 0.0.0.255 any
access-list 101 deny ip 10.63.71.0 0.0.0.255 any
access-list 101 permit ip any any
!
interface GigabitEthernet0/0/0
ip access-group 101 in

tim.smith · ‎06-10-2019

That look great and mostly accurate from what little I know about ACLs.

I just have a question about how it is applied to that interface... Should it be applied to the inbound as you have it or the outbound of the WAN interface?

What if I wanted to block anything (IP or any other traffic) on those 2 sub-interfaces from reaching across the WAN (Gi0/0/0)?

Georg Pauwen · ‎06-10-2019

Hello,

applying the access list inbound is recommended (traffic does not actually traverse the interface before it processed).

Also, if you use NAT on your interfaces, you can also simply exclude the subinterfaces from the NAT process (no ip nat inside)...

Giuseppe Larosa · ‎06-10-2019

Hello Tim,

I would use two extended ACLs applied inbound on both subinterfaces

access-list 170 permit ip 10.63.70.0 0.0.0.255 10.63.71.0 0.0.0.255

access-list 170 deny ip any any

access-list 171 permit ip 10.63.71.0 0.0.0.255 10.63.70.0 0.0.0.255

access-list 171 deny ip any any

interface gi0/0/1.70

ip access-group 170 in

exit

interface gi0/0/1.71

ip access-group 171 in

exit

This provides the most granular control on what the two subnets can do.

Hope to help

Giuseppe