Using Cisco Access Control List to block a subnet

Question:

I have the following ClassB network 172.31.0.0/16 that I’m trying to create an access list for. I’d like to allow 172.31.240.0/24 but deny all else, so I’m looking the best way to accomplish this with 2 acl lines.

Answer:

The best way to accomplish the above is to explicitly allow the subnet you want and then deny the whole Class B network as following:

access-list 110 permit ip 172.31.240.0 0.0.0.255
access-list 110 deny ip 172.31.0.0 0.0.255.255

Another option with just one ACL entry would be to permit only the subnet 172.31.240.0/24 and thats it. No other ACL entries are needed since there is an implicit deny at the end of the access list statement.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.