ACL issue

So, I'm trying to stop traffic between certain VLANs and I'm hitting some confusion. Using the scheme of 10.20.0.0 /16, I don't want any VLANs within 10.20.0.0-128.255 communicating with my 10.20.147.0 /24 VLAN.

I assumed that "deny ip 10.20.0.0 0.0.128.255 10.20.147.0 0.0.0.255" would work but traffic still goes through. My PC is 10.20.11.148, so I put in "deny ip 10.20.11.0 0.0.0.255 10.20.147.0 0.0.0.255" that stops traffic, so why won't the other wild card do it?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

shednik

If you're trying to block all IP traffic from 10.20.0.0/17 heading for 10.20.147.0/24 the access list entry could look like this:

access-list 101 deny ip 10.20.0.0 0.0.127.255 10.20.147.0 0.0.0.255 log
access-list 101 deny ip 10.20.0.0 0.0.128.255 10.20.147.0 0.0.0.255 log

Plazma

deny ip 10.20.0.0 0.0.128.255 10.20.147.0 0.0.0.255

This will only deny the subnet of 10.20.128.0 because thats the only bit that "cares"

You would have to do deny ip 10.20.0.0 0.0.127.255 .. this "matches" subnets 10.20.0.0 - 10.20.127.0 .. then you could have one more to include 128.

flares2

Thanks guys, we're good. For future reference, can I assume any time a wild card falls right on the bit (128, 192, 224, 240, 248, etc) it will be viewed as only that one bit and not the ip range?

Plazma

That would be a good way to look at it.. here's why:

to get 128.. you need 1 bit.. to get 127 .. you have ALL the bits before 128.. so 0111 1111 = 127 .. thus this encompasses the ranges.