Strange PACL behaviour

martintonner · ‎10-19-2005

Folks,

I’m hoping someone can shed some light on this. Not a fault as such, but some weird and unexpected behaviour.

Scenario:

Applying a port ACL to block inbound traffic from 2 devices (10.9.9.9 and 10.9.9.10) to another 3 devices (10.9.9.15, 10.9.9.16 and 10.9.9.17).

ACL as follows (not actual ip addresses)

Ip access-list extended ICMBLOCK

Deny ip 10.9.9.9 0.0.0.1 10.9.9.15 0.0.0.2 log

Permit ip any any log

This was then applied inbound to the 2 switchports which connect 10.9.9.9 and 10.9.9.10

Int)# ip access-group ICMBLOCK in

Weird Behaviour:

1) Traffic to 10.9.9.15 and 10.9.9.17 was blocked. But traffic to 10.9.9.16 was permitted through. Shouldn’t the reverse mask on 10.9.9.15 0.0.0.2 cover all 3 destination Ips?

2) Once the trial was finished, I removed the access-group from both switchports. However, log messages indicating permits and denys still appeared. I swear the acl was not applied to any other interfaces.

Eventually I had to delete the acl itself to stop this behaviour

Does anyone know why this behaviour occurred? Any help gratefully received.

Regards,

Martin.

thomas.chen · ‎10-25-2005

I think the wild card masks you have provided is wrong.For your network to work properly,use the following wildcard mask:

deny ip 10.9.9.9 0.0.0.3 10.9.9.15 0.0.0.31 log.

permit ip any any

This will provide u the required solution.

For a procedural approach on creating wildcard mask ,see below link.http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#topic2