Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL question - help im newbie

Status
Not open for further replies.
neil72

neil72

Technical User
Joined
Apr 3, 2005
Messages
4
Location
GB
i am still learning acl's and im trying to understand how to write out an ACL containing the following rule:-

i have been given a network address 201.0.0.0/24 for a server pool outside of my LAN. the server pool addresses are divided in half. the servers in the upper half of the address range are reachable only by my management hostson my LAN using all IP protocols. the servers in the upper half are not to be accessed by the production hosts from my LAN using all IP protocols.the servers on the lower half of the address range are reachable by all of hosts from my LAN using all possible IP protocols.the servers should not be accessible by any other hosts.

Do i have to work out the IP range for the server pool? as i have not been given this. Then write the ACL rule onto my router.

Any examples on how to do this would greatful as im struggling alittle with these - the penny has not droped yet :O(

 
Sort by date Sort by votes
Wildcard Mask ( Also called as Inverse Mask) is the solution.

Define your service, If your service is http (80)

#access-list 101 permit tcp 201.0.0.0 0.0.0.255 any eq 80

This will allow whole 201.0.0.X network ( All 254 IPs) to access http services.


#access-list 101 permit tcp 201.0.0.0 0.0.0.128 any eq 80

This will allow only 1st subnet of 128 that is 201.0.0.1 to 201.0.0.127 use the services.

Regards,

Nayan
 
Upvote 0 Downvote
Hi Nayan,

Thanks for the info....that makes complete sense to me now.

Appreciate your help!

Neil.
 
Upvote 0 Downvote
Nayan,

If i wanted all services in the server pool could i change the 'eq 80' to 'any'?

thnaks.
 
Upvote 0 Downvote
how do i define a range of ip addresses,leaving my LAN, that can access the top range of the servers in the server pool. do i need to put in a range of source addresses in an extended ACL?
 
Upvote 0 Downvote
Remember rule 1 of ACL "There is alawys a deny all at the end of each ACL" So define pool for your top renge servers to acceess its services and deny everyone else.

Thus you will have renge of user connecting o server and others can not access.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question Question
Cisco UC320W Paging Help
Replies
0
Views
696
Jared R
Jared R
Zero6
  • Locked
  • Question Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
498
Zero6
Zero6
WinstonCH
  • Locked
  • Helpful tip Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
890
BIS
BIS
Mogles49
  • Locked
  • Question Question
Firewall ACL question
Replies
1
Views
351
burtsbees
burtsbees
bfordz
  • Locked
  • Question Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
354
bfordz
bfordz

Part and Inventory Search

Sponsor

Back
Top