3

Follow up to this Q&A.

Documentation regarding IP Access Lists is read to understand how this works and include or exclude it as a possible cause that some systems were suddenly not able to access the internet anymore.

If the access list would look like as follows:

access-list acl_permit permit ip 10.10.10.0 0.0.0.7
access-list acl_deny deny ip any any

this would mean that:

10.10.10.0
10.10.10.1
10.10.10.2
10.10.10.3
10.10.10.4
10.10.10.5
10.10.10.6
10.10.10.7

are able to access the internet, as:

2^0=1
2^1=2
2^2=4 +
    7

If the access-list does not change and subsequently four more systems are created and the following IPs are assigned:

10.10.10.8
10.10.10.9
10.10.10.10
10.10.10.11

does this mean that these systems would not be able to access the internet?

Could it be possible that the new systems, e.g. 10.10.10.10 could compete with e.g. 10.10.10.4 so that the latter cannot access the internet anymore and the first does?

Or should the mask be increased from 7 to at least 15 so that the new systems (10.10.10.8 - 11) could access the internet?

Community
  • 1
030
  • 553
  • 3
  • 8
  • 21

1 Answers1

6

Based on the wildcard mask you've specified within the access-list above (which permits only ip addresses from 10.10.10.0-10.0.0.7 rest would be implicitly denied),yes you will need to change the wildcard mask from 7 to 15 which would allow the newly added systems to communicate to the internet. Else they'd be denied by the implicit deny rule of ACL and no the newly connected systems wouldn't compete with the old one blocking their connection to the internet.

One more thing I would like to add is that you need have the same names for the access-list. In the above example I suppose you'd want to apply it to the same interface ,Am I right ??

so in that case it would be

access-list acl_permit permit ip 10.10.10.0 0.0.0.7 any
access-list acl_permit deny ip any any

Hope this helps and answers you're query...Thanks

ref http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacls.html

some_guy_long_gone
  • 3,052
  • 1
  • 19
  • 30
Denzil Sequeira
  • 131
  • 4