ACL issue
flares2
Member Posts: 79 ■■□□□□□□□□
in CCNA & CCENT
So, I'm trying to stop traffic between certain VLANs and I'm hitting some confusion. Using the scheme of 10.20.0.0 /16, I don't want any VLANs within 10.20.0.0-128.255 communicating with my 10.20.147.0 /24 VLAN.
I assumed that "deny ip 10.20.0.0 0.0.128.255 10.20.147.0 0.0.0.255" would work but traffic still goes through. My PC is 10.20.11.148, so I put in "deny ip 10.20.11.0 0.0.0.255 10.20.147.0 0.0.0.255" that stops traffic, so why won't the other wild card do it?
I assumed that "deny ip 10.20.0.0 0.0.128.255 10.20.147.0 0.0.0.255" would work but traffic still goes through. My PC is 10.20.11.148, so I put in "deny ip 10.20.11.0 0.0.0.255 10.20.147.0 0.0.0.255" that stops traffic, so why won't the other wild card do it?
Techexams.net - Job security for one more day.
Comments
-
shednik
Member Posts: 2,005
If you're trying to block all IP traffic from 10.20.0.0/17 heading for 10.20.147.0/24 the access list entry could look like this:access-list 101 deny ip 10.20.0.0 0.0.127.255 10.20.147.0 0.0.0.255 log access-list 101 deny ip 10.20.0.0 0.0.128.255 10.20.147.0 0.0.0.255 log
-
Plazma
Member Posts: 503
deny ip 10.20.0.0 0.0.128.255 10.20.147.0 0.0.0.255
This will only deny the subnet of 10.20.128.0 because thats the only bit that "cares"
You would have to do deny ip 10.20.0.0 0.0.127.255 .. this "matches" subnets 10.20.0.0 - 10.20.127.0 .. then you could have one more to include 128.CCIE - COMPLETED! -
flares2
Member Posts: 79 ■■□□□□□□□□
Thanks guys, we're good. For future reference, can I assume any time a wild card falls right on the bit (128, 192, 224, 240, 248, etc) it will be viewed as only that one bit and not the ip range?Techexams.net - Job security for one more day.
-
Plazma
Member Posts: 503
That would be a good way to look at it.. here's why:
to get 128.. you need 1 bit.. to get 127 .. you have ALL the bits before 128.. so 0111 1111 = 127 .. thus this encompasses the ranges.CCIE - COMPLETED!