cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
403
Views
0
Helpful
1
Replies

ACL on a 6500 switch

dsoden
Level 1
Level 1

Why would an ACL that denies the IP in the first line of an ACL be allowed to though a line near the end of an ACL

10 deny ip 144.85.15.0 0.0.0.128 any

1230 permit ip any 199.217.10.0 0.0.0.31 log (2176590 matches)

permitted tcp 144.85.15.49(80) -> 199.217.10.4(4216), 1 packet

1 Reply 1

konigl
Level 7
Level 7

The inverse mask on your "deny" command line is the problem.

144.85.15.0 with inverse mask 0.0.0.128 (binary of the last octet in the mask is 1000 0000) only denies when the last octet of the IP address is .0 (0000 0000 in binary) or .128 (1000 0000 in binary). Because the inverse mask doesn’t care about the left-most bit in that last octet, but it IS interested in matching all the other bits. It could be a typo on the inverse mask, I’ve done that before. Anyway, that's why the .49 address is getting through.

144.85.15.0 with inverse mask 0.0.0.127 (binary of the last octet in the mask is 0111 1111) would deny when the last octet of the IP address is anything from .0 (0000 0000 in binary) through .127 (0111 1111), inclusive. Because the mask cares about the left-most bit in that last octet, but doesn’t care about the rest of the bits in that octet. This would block the .49 host.

If you wanted to block only hosts .128 through .255, then you would have to change the 144.85.15.0 to 144.85.15.128 with inverse mask 0.0.0.127.

144.85.15.0 with inverse mask 0.0.0.255 would block hosts from .0 through .255.

Generally speaking, inverse masks usually end with an odd number in the last octet (.1, .3, .7, .15, .31, .63, .127, or .255); regular subnet masks usually end with an even number (.254, .252, .248, .240, .224, .192, .128, or .0).

When a regular subnet mask ends with an odd number (.255, to be specific), it’s probably referring to a single host IP address.

Hope this helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: