Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
182
Views
0
Helpful
1
Replies

ACL assistance please

tedauction
Level 1
Level 1

‎09-12-2016 02:06 PM - edited ‎03-08-2019 07:24 AM

Hello, I need to create an ACL to allow internet access, but block all private subnet LAN access for a range of addresses that does not fit neatly in to a subnet mask.

i.e. the range is 10.21.20.100-119.

Can someone please advise the best way to do this.

Thank you kindly for any help.

Labels:
0 Helpful
1 Reply 1

princelionelnzi
Level 1
Level 1

‎09-12-2016 04:22 PM

The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply those groups to access control lists (ACLs) to create access control policies for those groups. This feature lets you use object groups instead of individual IP addresses, protocols, and ports, which are used in conventional ACLs.

You can modify the following commands to get what you want:

object-group network RFC1918
 10.0.0.0 255.0.0.0
 172.16.0.0 255.240.0.0
 192.168.0.0 255.255.0.0

This object-group can then be used in the ACLs:

ip access-list extended XXX
 deny   ip any object-group RFC1918
 permit ip YOUR-NETWORK any

object-group is well explained here : http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card