Access Control List

[Bakedgoods]

Having some problems with my ACL..

access-list 103 deny ip 172.16.0.0 0.0.255.255 172.16.32.0 0.0.7.255

I'm trying to deny..

All addresses from reaching the top half of 172.16.32.0/20

So in other words, stop anyone reaching 172.16.40.1 to 172.16.47.255, but allowing them to reach 172.16.32.1 to 172.16.39.255

That ACL does the opposite, I can reach the top half of addresses but not the lower, my brain has actually burnt out. I thought the wildcard would just be 0.0.8.255 but no joy

 

[TaLLyJ]

The Implied "Deny All Traffic" Criteria Statement

At the end of every access list is an implied "deny all traffic" criteria statement. Therefore, if a packet does not match any of your criteria statements, the packet will be blocked.

So if you did:

access-list 103 permit ip 172.16.0.0 0.0.255.255 172.16.32.0 0.0.7.255

That should permit the lower half of the addresses and the implied deny all traffic should deny any other traffic...?

 

[Laser402]

access-list 103 permit ip 172.16.0.0 0.0.255.255 172.16.32.0 0.0.7.255

If you want to block ALL addresses from that range then use:

access-list 103 deny ip any 172.16.40.0 0.0.7.255

Then allow all other addresses with

access-list 103 permit ip any any

Regards

 

[Bakedgoods]

Cheers, I was just thinking about this the wrong way round