ACL issue

flares2flares2 Posts: 79Member ■■□□□□□□□□
So, I'm trying to stop traffic between certain VLANs and I'm hitting some confusion. Using the scheme of 10.20.0.0 /16, I don't want any VLANs within 10.20.0.0-128.255 communicating with my 10.20.147.0 /24 VLAN.

I assumed that "deny ip 10.20.0.0 0.0.128.255 10.20.147.0 0.0.0.255" would work but traffic still goes through. My PC is 10.20.11.148, so I put in "deny ip 10.20.11.0 0.0.0.255 10.20.147.0 0.0.0.255" that stops traffic, so why won't the other wild card do it?
Techexams.net - Job security for one more day.

Comments

  • shednikshednik Posts: 2,005Member
    If you're trying to block all IP traffic from 10.20.0.0/17 heading for 10.20.147.0/24 the access list entry could look like this:
    access-list 101 deny ip 10.20.0.0 0.0.127.255 10.20.147.0 0.0.0.255 log
    access-list 101 deny ip 10.20.0.0 0.0.128.255 10.20.147.0 0.0.0.255 log
    
  • PlazmaPlazma Posts: 503Member
    deny ip 10.20.0.0 0.0.128.255 10.20.147.0 0.0.0.255

    This will only deny the subnet of 10.20.128.0 because thats the only bit that "cares"

    You would have to do deny ip 10.20.0.0 0.0.127.255 .. this "matches" subnets 10.20.0.0 - 10.20.127.0 .. then you could have one more to include 128.
    CCIE - COMPLETED!
  • flares2flares2 Posts: 79Member ■■□□□□□□□□
    Thanks guys, we're good. For future reference, can I assume any time a wild card falls right on the bit (128, 192, 224, 240, 248, etc) it will be viewed as only that one bit and not the ip range?
    Techexams.net - Job security for one more day.
  • PlazmaPlazma Posts: 503Member
    That would be a good way to look at it.. here's why:

    to get 128.. you need 1 bit.. to get 127 .. you have ALL the bits before 128.. so 0111 1111 = 127 .. thus this encompasses the ranges.
    CCIE - COMPLETED!
Sign In or Register to comment.