cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1597
Views
0
Helpful
6
Replies

blocking a subnet

lhorton311
Level 1
Level 1

So I have a question.

Condition:

  • Fastethernet interface fa0/0 on Router1 connects to network 192.168.10.0/28
  • Rotuer1 can reach multiple 10.1.X.0/24 networks through its fastethernet interface f0/1. (X ranges from 0 to 255).

Requirement:

  • Configure an extended ACL to control the traffic coming into the 192.168.10.0 network
  • Configure the ACL on f0/0 interface
  • Allow  all the IP traffic sourced from 10.1X.0 network to get to the  192.168.10.0 network except for 10.1.10.0/24. In other word, you need to  deny the traffic with a source of 10.1.10.0/24 and a destination of  192.168.10.0/28.
  • Do NOT use any deny command in your ACL
  • Use the minimal number of commands in your ACL

This is what I have done but it doesn't work.

router 1 fa 0/0 192.168.10.2

ip route 0.0.0.0 0.0.0.0 192.168.10.1

loopback 1 10.1.1.1 255.255.255.0

loopback 2 10.1.5.1 255.255.255.0

loopback 3 10.1.10.1 255.255.255.0

loopback 4 10.1.30.1 255.255.255.0

loopback 5 10.1.50.1 255.255.255.0

loopback 6 10.1.70.1 255.255.255.0

loopback 7 10.1.100.1 255.255.255.0

access-list 101 permit ip 10.1.0.0 0.0.7.255 192.168.10.0 0.0.0.15

access-list 101 permit ip 10.1.8.0 0.0.1.255 192.168.10.0 0.0.0.15

access-list 101 permit ip 10.1.11.0 0.0.5.255 192.168.10.0 0.0.0.15

access-list 101 permit ip 10.1.16.0 0.0.15.255 192.168.10.0 0.0.0.15

access-list 101 permit ip 10.1.32.0 0.0.31.255 192.168.10.0 0.0.0.15

access-list 101 permit ip 10.1.64.0 0.0.63.255 192.168.10.0 0.0.0.15

access-list 101 permit ip 10.1.128.0 0.0.127.255 192.168.10.0 0.0.0.15

ip access-group 101 out on fa 0/0 on router 1

router 2 fa 080 192.168.10.1

ip route 0.0.0.0 0.0.0.0 192.168.10.2

This isn't working. 10.1.10.1 can still get through. What am I doing wrong. Any help would be appreciated.

Thanks

6 Replies 6

Roman Rodichev
Level 7
Level 7

CCIE lab question?

Jon Marshall
Hall of Fame
Hall of Fame

The problem line in your acl is -

access-list 101 permit ip 10.1.11.0 0.0.5.255 192.168.10.0 0.0.0.15

you cannot simply use a .5 as the 3rd octet to simply get to 10.1.16.0.   You need to modify the acl -

access-list 101 permit ip 10.1.11.0 0.0.0.255 192.168.10.0 0.0.0.15

access-list 101 permit ip 10.1.12.0 0.0.3.255 192.168.10.0 0.0.0.15

Edit - whether this is the shortest acl possible i don't know without doing some binary and i'm a bit rusty but if i get the time i'll have a look.

Jon

Jon,

Thanks for the reply. I am still unclear why I have to break out the

wildcard mask this way. 8 16 32 64 128. Can you explain it to me or point me

in the direction of where I can get a clear explanation? Why not 2 4 8 16 32

64 128 or 128 192 224 240 248 252 255?

Thanks

Will

On Sep 18, 2011 9:27 AM, "jon.marshall" <

Will

You don't have to break it out that way necessarily. For example see this link for some complex wildcard mask examples -

http://blog.ine.com/2007/12/26/q-how-do-i-compute-complex-wildcard-masks-for-access-lists/

as you can see each octet in the wildcard mask can be very different values.

The wildcards you see most often are simply inverse subnet  masks ie.

255.255.240.0  becomes 0.0.15.255 etc. but as the above examples show they don't have to be. But even so you cannot simply say to get to 16 from 11 it is 5 therefore i will use that in the wildcard mask because the router will not interpret that in the way you want.

As your acl was using inverse subnet masks if you see what i mean then i simply pointed out that there is no equivalent subnet mask to match 0.0.5.255 and therefore you needed to break it down differently.

But you really do need to use binary with more complex wildcard masks. Have a look at this thread and if you have any more questions then feel free to ask -

https://supportforums.cisco.com/message/624267#624267

Jon

Jon,

Thank you so much for your help.

Will

Hi Jon,

Great response, and very interesting article at the INE blog. Do you have any more information about what would happen if we had more than two addresses we were trying to find the most specific wildcard for? Would we just do exactly the same, but with more addresses to AND and XOR?

Sorry to hijack.

Adam