Further ACL problems

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • Answered
Create Date: Jul 12 2012 4:07AM

OK here's a challenge. How to permit IP and ICMP Pings from a list of 40 subnets in an ACL.Should be straightforward? I thought so until I tried and realised the resulting ACL would be (40*8)+(40*7)=600 lines long!For each network I need the following (sorry about the lack fo formatting, presently neither IE or Chrome will persuade the forum to accept linefeeds or an attachment!!!)entry name {description "xxx" if { source-address x.x.x.x/x; protocol icmp; icmp-type 8; } then {permit;}}entry name {description "xxx" if { source-address x.x.x.x/x; protocol ip; } then {permit;}}Surely I must be wrong?

(from David_Rickard)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jul 12 2012 2:15PM

Can you agregate some subnets :) ?
For example x.x.x.x/24 and y.y.y.y/24 to z.z.z.z/23 ?

--
Jarek

(from Jaroslaw_Kasjaniuk)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jul 13 2012 1:10AM

Not really, the thing is that's only the main part, there is still more where port/protocol check are needed so the whole ACL expands to over 800 lines when really there are only 100 lines in there that actually do anything - the rest is just pointless fluff around each actual ACE

(from David_Rickard)

This conversation is no longer open for comments or replies.