what does this wildcard?

[mercy_angel]

Idea is that only one subnet sees and control all other subnets in HQ. I found some configuration for this:

So it was created vlan 10 which access list is

Code Select Expand

10 permit ip any any
    20 permit icmp any any


and for  vlan 20 (all vlans are the same in terms of access list)

Code Select Expand


    10 deny ip any 192.168.0.0 0.0.128.255
    20 permit ip any any
    30 permit icmp any any

So what is that wildcard 0.0.128.255.
That vlan20 still can reach vlan 10 but it shouldnt. VLAN10 is it department, only that vlan should see all vlans, but that vlans cant see IT VLAN.
Where is mistake?
I tried to change first rule in vlan20 with

Code Select Expand


    10 deny ip any 192.168.0.0 0.0.255.255
   

but than vlan 10 which is IT cant see VLAN20

[deanwebb]

So, to know what exactly is going on, we would need to know the IP range of VLAN 10, IP range of VLAN 20, and what gear you have the ACL on.

But on Cisco switches, which I'm guessing you're using, the wildcard is an inverse match for the IP range in the ACL rule.

[Dieselboy]

Sounds like OP is using VLAN ACL (VACL) and they're not straight forward at all. There are other considerations when using VACL. I googled for some info on this and found a youtube vid "Explaining VACL" that may be helpful to the OP: https://www.youtube.com/watch?v=A4Mt1Vgx-fw

I havnt done this for many years. It is easier for me to choose either alternative:

1. use a firewall to route between these VLANs and do the filtering on the firewall instead of VACL
2. use routed ports (physical port) and then traditional ACL on the ingress of the routed port

[mercy_angel]

So, to know what exactly is going on, we would need to know the IP range of VLAN 10, IP range of VLAN 20, and what gear you have the ACL on.

But on Cisco switches, which I'm guessing you're using, the wildcard is an inverse match for the IP range in the ACL rule.

why thats important? its two /24 masks.
It can be any for this purposes. VLAN 10 is 192.168.10.0/24 and VLAN 20 is 192.168.20.0/24
But its strange how i found that wildcard in acl, and cant figure out what is forbiden and why vlan 20 can access vlan 10...

[Dieselboy]

The wildcard mask looks like a typo. A 17 bit wildcard mask is `0.0.127.255`.

Maybe your office or "site" has a number of /24s which can be described as one larger subnet like a /17. A /17 would give you subnets from 192.168.0.0/24 to 192.168.127.0/24 (or you could say 128 /24's).

[mercy_angel]

The wildcard mask looks like a typo. A 17 bit wildcard mask is `0.0.127.255`.

Maybe your office or "site" has a number of /24s which can be described as one larger subnet like a /17. A /17 would give you subnets from 192.168.0.0/24 to 192.168.127.0/24 (or you could say 128 /24's).

Or can you help me, how to get my access list then, because when i put deny 192.168.0.0 0.0.255.255 than the VLAN 10 which must see all subnets also cannot see VLAN20 even if it have permit any any..

[deanwebb]

This is where we need the IP ranges of the VLANs in question. Once we have those, we can say with accuracy what impact that ACL is having on their traffic.

[Dieselboy]

The wildcard mask looks like a typo. A 17 bit wildcard mask is `0.0.127.255`.

Maybe your office or "site" has a number of /24s which can be described as one larger subnet like a /17. A /17 would give you subnets from 192.168.0.0/24 to 192.168.127.0/24 (or you could say 128 /24's).

Or can you help me, how to get my access list then, because when i put deny 192.168.0.0 0.0.255.255 than the VLAN 10 which must see all subnets also cannot see VLAN20 even if it have permit any any..

Please take a look at the video I posted, it should explain VACLs. The VACLs (VLAN ACLs) are not straight-forward like ACLs.

[mercy_angel]

This is where we need the IP ranges of the VLANs in question. Once we have those, we can say with accuracy what impact that ACL is having on their traffic.

vlan 10 is 192.168.10.0/24
this vlan should see 192.168.0.0/16
vlan 20 is 192.168.20.0/24 and this vlan and all the others(except vlan10 because vlan10 is IT sector) should see only vlan2 192.168.2.0/24 and thats it. No other vlan allowed.

[deanwebb]

VLAN 20 is in the same /16 as VLAN 10, so the VACL that permits to the /16 is going to permit to VLAN 10. Either tighten up the VACL to maybe just the /24, or put it in a different /16, like 192.168.128.0/24.

[mercy_angel]

VLAN 20 is in the same /16 as VLAN 10, so the VACL that permits to the /16 is going to permit to VLAN 10. Either tighten up the VACL to maybe just the /24, or put it in a different /16, like 192.168.128.0/24.

if I dont put 

Code Select Expand

ip access-group SOME_ACL_NAME in in VLAN100 (10.122.0.0/22), and on VLAN200(10.122.13.0/24) i put

Code Select Expand

ip access-group LAN-FILTER in

and that access list is:

Code Select Expand

Extended IP access list LAN-FILTER
deny ip any 10.122.0.0 0.0.31.255
deny icmp any 10.122.0.0 0.0.31.255
permit ip any any
permit icmp any any

why I from vlan10 cant ping any other vlans from 10.122.0.0/16??
So in general, if i dont put any acl rule on one subnet it should see explicity all others?

[deanwebb]

Those ACL rules match on a /12 range.

And yes, by default, if there is no ACL, all traffic is permitted.

[mercy_angel]

Those ACL rules match on a /12 range.

And yes, by default, if there is no ACL, all traffic is permitted.

why then i can't ping it?
if i have deny from other vlans, why IT where it hasnt any acls.

[deanwebb]

You can't ping it because your mask is too big. Try using 10.122.13.0 0.255.255.255 on the deny statements. Then it will only block traffic to VLAN 200.

[mercy_angel]

You can't ping it because your mask is too big. Try using 10.122.13.0 0.255.255.255 on the deny statements. Then it will only block traffic to VLAN 200.

vlan 100 is IT deparmtent. This vlan MUST see all vlans. And vlan 200 is some office, and there is a 10,15 more vlans, so it will be same acl rules for them.
Those office vlans must not see any vlans beside their own. Problem is that i dont have ping to that office pcs..