Solved: ACL Specific IP range

jk865 · ‎12-10-2021

Hi

I want to create an ACL for a specific subnet, the third subnet of 192.168.1.0/28, the usable addresses 192.168.1.33 - 192.168.1.46 do I need to create a new line on the ACL for each address I can't see a way of creating a range? hopefully, that makes sense.

Also is it best practice to include the network address and broadcast address when creating ACL's if I'm asked to deny traffic from the entire subnet?

Thanks

Georg Pauwen · ‎12-10-2021

Hello,

not really sure what you are after, but:

access-list 1 deny 192.168.1.32 0.0.0.15

This denies hosts192.168.1.33 - 192.168.1.46, as well as the network and the broadcast address.

Unless you want to specifically permit or deny only certain host addresses, it is good practice to permit or deny the entire subnet (including network/broadcast address).

View solution in original post

marce1000 · ‎12-10-2021

- Review this document :

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Georg Pauwen · ‎12-10-2021

Hello,

not really sure what you are after, but:

access-list 1 deny 192.168.1.32 0.0.0.15

This denies hosts192.168.1.33 - 192.168.1.46, as well as the network and the broadcast address.

Unless you want to specifically permit or deny only certain host addresses, it is good practice to permit or deny the entire subnet (including network/broadcast address).