We need to block a number of IP addresses, but we cant use the right subnet mask we are looking for.
We kinda fudged together this from the manuals to stop access at the far end, from access by stuff at this end. This end has the IP addresses listed below, and the remote end has these rules on the switch on Port 48
config t
Access-list ingress deny ip 192.168.0.1 255.255.255.255 any
Access-list ingress deny ip 192.168.0.6 255.255.255.255 any
Access-list ingress deny ip 192.168.0.10 255.255.255.255 any
Can you explain what these 2 lines do. It uses a subnet mask of 0.0.0.0
I see its blocking Telnet (port 23) and HTTP (port 80), so I could just put "any" down there to block that.
Not sure about the 0.0.0.0 does this mean now that the deny will be for 172.16.101.10 to 172.16.101.70 inclusive, or just the 2 ip addresses 172.16.101.10 and 172.16.101.70
Roger.S
1 Rookie
•
15 Posts
0
February 10th, 2014 10:00
Roger.S
1 Rookie
•
15 Posts
0
February 10th, 2014 10:00
or
switch(config)# ip access-list restrict_mgmt permit ip 192.168.0.1 0.0.0.252 any
Roger.S
1 Rookie
•
15 Posts
0
February 10th, 2014 10:00
DELL-Josh Cr
Moderator
•
9.5K Posts
0
February 10th, 2014 11:00
Hi,
You last post is the correct syntax, it creates a new ACL named Deny and blocks tcp traffic for 192.168.0.1.
The wildcard mask for 255.255.255.252 is 0.0.0.3
Roger.S
1 Rookie
•
15 Posts
0
February 10th, 2014 11:00
Roger.S
1 Rookie
•
15 Posts
0
February 11th, 2014 10:00
Do you have any examples of an ACL?
We need to block a number of IP addresses, but we cant use the right subnet mask we are looking for.
We kinda fudged together this from the manuals to stop access at the far end, from access by stuff at this end. This end has the IP addresses listed below, and the remote end has these rules on the switch on Port 48
config t
Access-list ingress deny ip 192.168.0.1 255.255.255.255 any
Access-list ingress deny ip 192.168.0.6 255.255.255.255 any
Access-list ingress deny ip 192.168.0.10 255.255.255.255 any
interface gigabitethernet 1/0/48
ip access-group deny in
DELL-Josh Cr
Moderator
•
9.5K Posts
0
February 11th, 2014 11:00
Here is the guide for the 6200 series, the ACL logic is the similar on the 7000 series. http://www.dell.com/downloads/global/products/pwcnt/en/pwcnt_IP_ACLs.pdf
Here is another example that I found
console# config
console(config)#access-list ip-acl deny tcp 172.16.101.10 0.0.0.0 172.16.101.70 0.0.0.0 eq 23
console(config)#access-list ip-acl deny tcp 172.16.101.10 0.0.0.0 172.16.101.70 0.0.0.0 eq 80
console(config)#access-list ip-acl permit every
console(config)# interface gi1/0/1 (70xx or 4.x firmware)
console(config-if-1/g1)#ip access-group ip-acl in
console(config-if-1/g1)# end
console#
Here is some additional ACL information
http://www.dell.com/downloads/global/products/pwcnt/en/app_note_10.pdf
http://www.dell.com/downloads/global/products/pwcnt/en/app_note_3.pdf
DELL-Josh Cr
Moderator
•
9.5K Posts
0
February 12th, 2014 15:00
the subnet mask used is the inverse mask. so 0.0.0.0 is a normal subnet mask of 255.255.255.255
page 5 of this document has a table of the the inverse subnet masks
Roger.S
1 Rookie
•
15 Posts
0
February 12th, 2014 15:00
Can you explain what these 2 lines do. It uses a subnet mask of 0.0.0.0
I see its blocking Telnet (port 23) and HTTP (port 80), so I could just put "any" down there to block that.
Not sure about the 0.0.0.0 does this mean now that the deny will be for 172.16.101.10 to 172.16.101.70 inclusive, or just the 2 ip addresses 172.16.101.10 and 172.16.101.70
console(config)#access-list ip-acl deny tcp 172.16.101.10 0.0.0.0 172.16.101.70 0.0.0.0 eq 23
console(config)#access-list ip-acl deny tcp 172.16.101.10 0.0.0.0 172.16.101.70 0.0.0.0 eq 80
Thanks for your help.