ACL Question

[itd17]

How can I allow mulitple subnets into an interface and deny all others? Is this even possible with a standard ACL?

For example:

I want to permit 10.2.1.1 as well as 10.3.1.1 into int fa0/1, and deny all others.

Thanks in advance!

 

[nohair]

Hi,
what mask are they? assuming they are hosts
access-list <acl-no> permit host <ip1>
access-list <acl-no> permit host <ip2>
inter f0/1
access-group <acl-no> in

where acl-no is between 1 and 99.
If not, then use the combo <ip> <mask>
Remember, by default the access-list will deny everything except what is on the list.

-Stephen

 

[itd17]

Stephen,

I wasn't very clear....

I want to permit only those in the 10.2.0.0/16 and those in 10.3.0.0/16, denying all others. I now see I can permit hosts, but what about entire subnets?

Thanks,

Jason

 

[Guest_imported]

Maybe...
-----------
access-list 1 ip permit 10.2.0.0 0.0.255.255 <your subnet> 0.0.255.255

access-list 1 ip permit 10.3.0.0 0.0.255.255 <your subnet> 0.0.255.255

access-list 1 ip deny any any

int f0/1
access-group 1 in
-------------

 

[nohair]

Hi,
source-dest can only be done via extended ACL's (unless there's been a change in the way IOS handles them that I do not know). Standard ACL's only filter based on source address, so a line of yours acl would look something like
access-list 1 permit 10.2.0.0 0.0.255.255

-Stephen

 

[ChrisAC]

Right on!! ************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************