ACL issue

flares2 · September 2008

So, I'm trying to stop traffic between certain VLANs and I'm hitting some confusion. Using the scheme of 10.20.0.0 /16, I don't want any VLANs within 10.20.0.0-128.255 communicating with my 10.20.147.0 /24 VLAN.

I assumed that "deny ip 10.20.0.0 0.0.128.255 10.20.147.0 0.0.0.255" would work but traffic still goes through. My PC is 10.20.11.148, so I put in "deny ip 10.20.11.0 0.0.0.255 10.20.147.0 0.0.0.255" that stops traffic, so why won't the other wild card do it?

shednik · September 2008

If you're trying to block all IP traffic from 10.20.0.0/17 heading for 10.20.147.0/24 the access list entry could look like this:

access-list 101 deny ip 10.20.0.0 0.0.127.255 10.20.147.0 0.0.0.255 log
access-list 101 deny ip 10.20.0.0 0.0.128.255 10.20.147.0 0.0.0.255 log

Plazma · September 2008

deny ip 10.20.0.0 0.0.128.255 10.20.147.0 0.0.0.255

This will only deny the subnet of 10.20.128.0 because thats the only bit that "cares"

You would have to do deny ip 10.20.0.0 0.0.127.255 .. this "matches" subnets 10.20.0.0 - 10.20.127.0 .. then you could have one more to include 128.

flares2 · September 2008

Thanks guys, we're good. For future reference, can I assume any time a wild card falls right on the bit (128, 192, 224, 240, 248, etc) it will be viewed as only that one bit and not the ip range?

Plazma · September 2008

That would be a good way to look at it.. here's why:

to get 128.. you need 1 bit.. to get 127 .. you have ALL the bits before 128.. so 0111 1111 = 127 .. thus this encompasses the ranges.

ACL issue

Comments