Question:
I have the following ClassB network 172.31.0.0/16 that I’m trying to create an access list for. I’d like to allow 172.31.240.0/24 but deny all else, so I’m looking the best way to accomplish this with 2 acl lines.
Answer:
The best way to accomplish the above is to explicitly allow the subnet you want and then deny the whole Class B network as following:
access-list 110 permit ip 172.31.240.0 0.0.0.255
access-list 110 deny ip 172.31.0.0 0.0.255.255
Another option with just one ACL entry would be to permit only the subnet 172.31.240.0/24 and thats it. No other ACL entries are needed since there is an implicit deny at the end of the access list statement.