Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
730
Views
0
Helpful
9
Replies

Help with an ACL

Go to solution
Gregory Forster
Level 1
Level 1

‎07-28-2017 12:11 PM - edited ‎03-08-2019 11:31 AM

I have multiple subnets blocked out from 10.2.0.0/16 each subnet is a /24. I would like to block the 10.2.19.0/24 subnet from accessing all other subnets. How would I go about doing this, would I need to create an ACL with a line for each subnet, or could I just create an ACL that blocks all subnets?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Gregory Forster

‎07-28-2017 12:33 PM

You need to use an extended acl eg -

access-list 101 deny 10.2.19.0 0.0.0.255 10.2.0.0 0.0.255.255
access-list 101 permit 10.2.19.0 0.0.0.255 any

then apply to the interface as per your example.

Jon

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎07-28-2017 12:14 PM

Just deny 10.2.19.0/24 to 10.2.0.0/16 and then allow 10.2.19.0/24 to any other IP if they need to talk to other subnets or the internet for example.

Then apply the acl inbound on the L3 interface for the 10.2.19.0/24 subnet.

Jon

0 Helpful

Go to solution
Gregory Forster
Level 1
Level 1
In response to Jon Marshall

‎07-28-2017 12:26 PM

So my config would look like this?

access-list 19 deny 10.2.19.0/24 0.0.0.255 10.2.0.0 0.0.0.255

access-list 19 permit any

interface vlan 19

access-group 19 in

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Gregory Forster

‎07-28-2017 12:33 PM

You need to use an extended acl eg -

access-list 101 deny 10.2.19.0 0.0.0.255 10.2.0.0 0.0.255.255
access-list 101 permit 10.2.19.0 0.0.0.255 any

then apply to the interface as per your example.

Jon

0 Helpful

Go to solution
Gregory Forster
Level 1
Level 1

‎07-28-2017 12:35 PM

Jon,

I was just doing that as you replied. Thank you so much for verifying this for me.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Gregory Forster

‎07-28-2017 12:37 PM

No problem, glad to help.

Jon

0 Helpful

Go to solution
Gregory Forster
Level 1
Level 1
In response to Jon Marshall

‎07-28-2017 12:57 PM

Jon,

Ok I tried that and I am still able to ping other subnets. Config is shown below

access-list 101 deny ip 10.2.19.0 0.0.0.255 10.2.0.0 0.0.255.255
access-list 101 permit ip 10.2.19.0 0.0.0.255 any

interface Vlan19
description Video-VLAN19
ip address 10.2.19.x 255.255.255.0
ip access-group 19 in

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Gregory Forster

‎07-28-2017 01:00 PM

You are referencing the wrong acl ie. change this -

ip access-group 19 in

to

ip access-group 101

my fault, should have been clearer in my earlier response.

Jon

0 Helpful

Go to solution
Gregory Forster
Level 1
Level 1
In response to Jon Marshall

‎07-28-2017 01:01 PM

Jon,

I am so dumb. Thanks for pick that out for me.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Gregory Forster

‎07-28-2017 01:03 PM

Not dumb, easy mistake to make and I wasn't very clear in my previous answer.

Jon

0 Helpful
Customers Also Viewed These Support Documents