Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Strange PACL behaviour

Folks,

I’m hoping someone can shed some light on this. Not a fault as such, but some weird and unexpected behaviour.

Scenario:

Applying a port ACL to block inbound traffic from 2 devices (10.9.9.9 and 10.9.9.10) to another 3 devices (10.9.9.15, 10.9.9.16 and 10.9.9.17).

ACL as follows (not actual ip addresses)

Ip access-list extended ICMBLOCK

Deny ip 10.9.9.9 0.0.0.1 10.9.9.15 0.0.0.2 log

Permit ip any any log

This was then applied inbound to the 2 switchports which connect 10.9.9.9 and 10.9.9.10

Int)# ip access-group ICMBLOCK in

Weird Behaviour:

1) Traffic to 10.9.9.15 and 10.9.9.17 was blocked. But traffic to 10.9.9.16 was permitted through. Shouldn’t the reverse mask on 10.9.9.15 0.0.0.2 cover all 3 destination Ips?

2) Once the trial was finished, I removed the access-group from both switchports. However, log messages indicating permits and denys still appeared. I swear the acl was not applied to any other interfaces.

Eventually I had to delete the acl itself to stop this behaviour

Does anyone know why this behaviour occurred? Any help gratefully received.

Regards,

Martin.

1 REPLY
Silver

Re: Strange PACL behaviour

I think the wild card masks you have provided is wrong.For your network to work properly,use the following wildcard mask:

deny ip 10.9.9.9 0.0.0.3 10.9.9.15 0.0.0.31 log.

permit ip any any

This will provide u the required solution.

For a procedural approach on creating wildcard mask ,see below link.http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#topic2

213
Views
0
Helpful
1
Replies
CreatePlease login to create content