Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN ACL & Supernets

This should be a fairly simple question. With a VPN tunnel can you specify a larger IP range in the access-list such as 10.1.0.0/8 that will accept traffic from smaller subnets in that range like 10.1.3.0/24?

I'm not sure if the ACL just inspects the IP, or if the subnetmask must be a identical.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN ACL & Supernets

For vpn traffic super nets will be read and processed, in other words if you define a match address like:

permit ip 10.0.0 0.255.255.255 172.16.0.0 0.0.255.255

This will include the whole /8 subnets of the 10 and the whole /16 subnets of the 172 to be sent on that tunnel.

Be careful when using this since some traffic that you don't want might be match on this.

2 REPLIES

Re: VPN ACL & Supernets

For vpn traffic super nets will be read and processed, in other words if you define a match address like:

permit ip 10.0.0 0.255.255.255 172.16.0.0 0.0.255.255

This will include the whole /8 subnets of the 10 and the whole /16 subnets of the 172 to be sent on that tunnel.

Be careful when using this since some traffic that you don't want might be match on this.

Community Member

Re: VPN ACL & Supernets

Thanks!

117
Views
0
Helpful
2
Replies
CreatePlease to create content