05-17-2019 04:27 AM
I have a small network 192.168.1.0 which also has internet, we have L2 switch and all users are in VLAN1.
I would like to block internet for all the network except 20 users, starting from 192.168.1.1 -- 192.168.1.20
to achieve this
first I have bind all 20 users Mac address to there ips and created ACL.
I have trouble in ACL STATEMENTS,.
Plz help
Solved! Go to Solution.
05-17-2019 09:39 AM
Hello,
ok you have to remember that an ACL has an implicit deny any at the end !
To allow remaining hosts in network 192.168.21.0/24 we need to add a permit statement
So after the lines
access-list 11 deny 192.168.21.0 0.0.0.31
access-list 11 deny 192.168.21.32 0.0.0.15
access-list 11 deny 192.168.21.48 0.0.0.7
access-list 11 deny 192.168.21.56 0.0.0.3
access-list 11 deny 192.168.21.60 0.0.0.0
You need to add a last line
access-list 11 permit 192.168.21.0 0.0.0.255
Hope to help
Giuseppe
05-17-2019 04:43 AM - edited 05-17-2019 04:45 AM
Hello,
you need to conver in binary the last byte of each address.
You can match first 1-15 users with an ACL statement like
access-list 11 permit 192.168.1.0 0.0.0.15
this means that last four bits are wildcard and matches 192.168.1.0-15
In order to match the other addresses you need to note that all of them are greater then 16 in last byte
16= 0001 0000
17 =0001 0001
18 =0001 0010
19= 0001 0011
so these 4 hosts are matched by following statement
access-list 11 permit 192.168.1.16 0.0.0.3
Finally you can match IP address 192.168.1.20 with
access-list 11 permit 192.168.1.20 0.0.0.0 or access-list 11 permit host 192.168.1.20
Your ACL will be formed by three statements and all these will be allowed to be translated by NAT
ip nat inside source acl 11 interface <WAN> overload.
there is no single statement matching the range of IP addresses because it is not a power of two
Hope to help
Giuseppe
Hope to help
Giuseppe
05-17-2019 04:56 AM
I am not able to understand what you mentioned above. The simple work would be give me exact statements as per my scenario then i would ask more questions if i don't understand
05-17-2019 05:01 AM - edited 05-17-2019 05:01 AM
Hello,
short answer your ACL is made of three lines to match the desired address range:
access-list 11 permit 192.168.1.0 0.0.0.15
access-list 11 permit 192.168.1.16 0.0.0.3
access-list 11 permit 192.168.1.20 0.0.0.0
Hope to help
Giuseppe
05-17-2019 06:02 AM
can i use only one statement to give internet access to 20 users by doing the below
access-list 11 permit 192.168.1.0 0.0.0.20
05-17-2019 06:13 AM - edited 05-17-2019 06:15 AM
Hello,
>>
can i use only one statement to give internet access to 20 users by doing the below
access-list 11 permit 192.168.1.0 0.0.0.20
No, because IP addresses are based on binary math and wildcard says what bits do not care (can be 0 or 1 to have a match) for bits that are set to 1.
20 = 00010100
it is a valid wildcard mask but it matches the following addresses only
192.168.1.0
192.168.1.4
192.168.1.16
192.168.1.20
that is not what you want
Hope to help
Giuseppe
05-17-2019 08:51 AM
Great Explaination
If I want to allow from 192.168.21.1-192.168.21.60
Then the Wild Card Would look this way as below.
192.168.21.0 0.0.0.31
192.168.21.32 0.0.0.15
192.168.21.48 0.0.0.7
192.168.21.56 0.0.0.3
192.168.21.60 0.0.0.0
Please correct me if i understood you correctly
05-17-2019 09:10 AM
Hello,
yes I think that the proposed statements are correct to match 192.168.1.1 to 192.168.1.60 addresses.
60 = 32+16+8+4.
To find out the correct wildmasks you need to think about powers of two.
Hope to help
Giuseppe
05-17-2019 09:30 AM
What a great explanation !!!! one last question If I want to deny
the range
192.168.21.1 ---- 192.168.21.60
access-list 11 deny 192.168.21.0 0.0.0.31
access-list 11 deny 192.168.21.32 0.0.0.15
access-list 11 deny 192.168.21.48 0.0.0.7
access-list 11 deny 192.168.21.56 0.0.0.3
access-list 11 deny 192.168.21.60 0.0.0.0
will the above work ? and allow all the other network after 192.168.21.60 will have what statement
05-17-2019 09:39 AM
Hello,
ok you have to remember that an ACL has an implicit deny any at the end !
To allow remaining hosts in network 192.168.21.0/24 we need to add a permit statement
So after the lines
access-list 11 deny 192.168.21.0 0.0.0.31
access-list 11 deny 192.168.21.32 0.0.0.15
access-list 11 deny 192.168.21.48 0.0.0.7
access-list 11 deny 192.168.21.56 0.0.0.3
access-list 11 deny 192.168.21.60 0.0.0.0
You need to add a last line
access-list 11 permit 192.168.21.0 0.0.0.255
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide