cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
685
Views
0
Helpful
6
Replies

Any way to permit/deny a range(scope) of IPs?

johnramz
Level 1
Level 1

Hi all,

Just in case there is a way I am not aware of. Let's say I have a range for a VLAN: 192.168.1.0 /24, and I need to deny www traffic to ten(10) contiguous hosts from 192.168.1.10 thru 192.168.1.20. This statement:

deny tcp 192.168.1.10  - 192.168.1.20 any eq www

Is the above possible in IOS or once can one only permit/deny ranges based on subnet mask?

Thanks

Juan

6 Replies 6

cadet alain
VIP Alumni
VIP Alumni

Hi,

if this is on a router you could use object-group:http://routing-bits.com/2008/10/29/acl-object-groups-now-on-cisco-ios/

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks Alain. This is a Cisco 3750X switch with image: c3750e-ipbasek9-mz.122-58.SE2

It does not seem to take that "object-group" command. That would certainly do it

Thanks anyway

Juan

Hi,

yes this feature is not supported on switches.

It won't be possible with a one-liner ACL but you could narrow it down to 4 instead of 10 like this:

access-list 101 deny tcp any 192.168.1.10  0.0.0.1 eq www

access-list 101 deny tcp any 192.168.1.12  0.0.0.3 eq www

access-list 101 deny tcp any 192.168.1.16  0.0.0.3 eq www

access-list 101 deny tcp any host 192.168.1.20  eq www

I don't think this can be reduced further without getting overlaps.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks Alain. I thought of that one.

I think the bottom line is that CISCO does not encourage the use of security/ACLs on switches and that's why object-groups are not available.

In our particular case letting an ASA(allows object-groups) handle it for the switch turns into a bottleneck. Even with etherchannels, it is not a match for the backplane speed of a CISCO 3750 switch stack without having to go up to the ASA and come back down.

Juan

Hi Juan,

I think the bottom line is that CISCO does not encourage the use of  security/ACLs on switches and that's why object-groups are not  available. 

Why do you think so? I have not seen any indication of Cisco discouraging the use of ACLs on switches.

There is a different aspect to it, I believe. On these platforms, the matching operations from ACLs have to be compiled and downloaded into TCAM which is a scarce resource. The more complicated an ACL gets, the more space it occupies in the TCAM. Object groups or IP address ranges that can not be covered by a simple subnet are particularly unpleasant because they result in numerous entries to be programmed into the TCAM. I would suspect that is the reason why more complicated matching operations or objects are not readily available on lower-end switching platforms - they would either require more TCAM space or the capabilities of the TCAM simply do not meet the requirements of the matching operations in question.

Best regards,

Peter

Thanks Peter for your input, I think you are correct. However, based on experience with two TAC engineers, they have suggested the use of ASAs on front of switches to handle ACLs. Then I have voiced to them the bottleneck issue and they have no answers for that. I guess it is difficult to argue that with Etherchannel would be faster than backplane speed.

I appreciate though your thoughts on TCAM space. Something to consider.

Juan

Review Cisco Networking for a $25 gift card