ACL issue

flares2flares2 Member Posts: 79 ■■□□□□□□□□
So, I'm trying to stop traffic between certain VLANs and I'm hitting some confusion. Using the scheme of /16, I don't want any VLANs within communicating with my /24 VLAN.

I assumed that "deny ip" would work but traffic still goes through. My PC is, so I put in "deny ip" that stops traffic, so why won't the other wild card do it? - Job security for one more day.


  • shednikshednik Member Posts: 2,005
    If you're trying to block all IP traffic from heading for the access list entry could look like this:
    access-list 101 deny ip log
    access-list 101 deny ip log
  • PlazmaPlazma Member Posts: 503
    deny ip

    This will only deny the subnet of because thats the only bit that "cares"

    You would have to do deny ip .. this "matches" subnets - .. then you could have one more to include 128.
  • flares2flares2 Member Posts: 79 ■■□□□□□□□□
    Thanks guys, we're good. For future reference, can I assume any time a wild card falls right on the bit (128, 192, 224, 240, 248, etc) it will be viewed as only that one bit and not the ip range? - Job security for one more day.
  • PlazmaPlazma Member Posts: 503
    That would be a good way to look at it.. here's why:

    to get 128.. you need 1 bit.. to get 127 .. you have ALL the bits before 128.. so 0111 1111 = 127 .. thus this encompasses the ranges.
Sign In or Register to comment.