Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Acces-list - Denying blocks of host

Status
Not open for further replies.

gsplsnger

MIS
Mar 16, 2007
8
US
I have come across 2 questions


HERE IS THE FIRST
We want to block access to the internet for the first 7 hosts of the 192.168.1.0/24 network. The network should have full access to the rest of the network. What is the correct access list configuration?

access-list 100 deny tcp 192.168.1.0 0.0.0.7 any eq www
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

HERE IS THE SECOND
access list 10 deny 172.16.32.0 0.0.15.255 (this command says that you will start at 32 and increment by 15. So you will match on 32-47 and deny those host)

Now as best as I can tell the difference in whether you are blocking the first 7 host and whether you are starting at 32 and then blocking the next 15 host is where the number is being placed in the ip address. Is that correct?
 
Now as best as I can tell the difference in whether you are blocking the first 7 host and whether you are starting at 32 and then blocking the next 15 host is where the number is being placed in the ip address. Is that correct?

If I understand you correctly what you are saying is right. The wild card mask identifies the hosts, the network statement identifies the start of the range. e.g

192.168.0.252 0.0.0.3

IP's 253, 254 are the identified addresses.

The website below provides a concise explaination!


Hope this helps,

Pete
CCNA
 
Now as best as I can tell the difference in whether you are blocking the first 7 host and whether you are starting at 32 and then blocking the next 15 host is where the number is being placed in the ip address. Is that correct?

Not really.

The second example is denying 172.16.32.0 - 172.16.47.255.
Roughly 4078 host.
 
Actually, the first example blocks EVERYTHING---the second statement should be
access-list 100 permit tcp any any.

Burt
 
Actually, the first example is correct. The first statement restricts traffic to 80) from certain hosts, the second allows all other traffic. A second statement "access-list 100 permit tcp any any" is a common misconfiguration of access lists by students. If that is used instead of "access-list 100 permit ip any any" you accidently filter L3 traffic like ICMP.
 
hmmm...so you can deny some layer 4 in the first statement, allow all IP in the second statement, and the implicit deny won't deny all other layer 4 traffic?

Burt
 
It will never process the deny all when there is a hit before.
 
I know, but if there is not a hit within the subnet he's denying access to, and no permit statement after, it DOES deny everything else. The hit you're talking about is a deny in the first place anyway.

Burt
 
Think about it this way...There is a stupid gnome inside of the router. You tell the gnome to first deny any traffic that has a header with source address information from any ports within a certain range of ip addresses going to any ip destination on port 80. If there isn't a match of those conditions, check the next statement which says let any traffic through as long as it is IP.

Let's suppose there is a packet that matches the first statement. The gnome identifies there is a match and does what the statement says, which is drop the packet. Any subsequent packets meeting the same match criteria will be dropped. But let's suppose the gnome sees traffic that doesn't match the first statement...that means he has to look at the next condition which says "let anything else pass that is ip traffic". Sounds good to the gnome, so he lets the packet through. There is a hidden final statement that says, "drop everything else because you're at the end of your test conditions and you've got to do something...better be safe and drop the unknown stuff". The gnome can only follow the guidelines in the access-list entries. List entries are processed from top to bottom.

If you write the implicit deny statement in an extended access-list it it "access-list 100 deny ip any any" and reads "deny any traffic if it is IP from any source (ip/port) to any destination (ip/port)". Every IP packet matches this statement.
 
I see---I guess anything else pretty much would be IP traffic...so the TCP or UDP layer 4 part wouldn't matter...obviously it does in the first statement because it's a TCP port he's filtering. Thanks.

Burt
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top