cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1915
Views
10
Helpful
8
Replies

ACL Configuration on Router

RS19
Level 4
Level 4

I have the attached network scenario.

In the scenario, I have 2 networks 10.100.0.0/16 & 10.200.0.0/16 which has access to Internet.

OSPF is used between L3#3 & R1 , L4#4 & R2.

 

R1 & R2 is configured for source NAT to communicate to Internet.

I want to configure ACL to have the flowing restriction on R1 & R2

 

Source: 10.100.0.0/16 ->  Destination: 8.0.0.0/8, 4.0.0.0/8 (Allow)

Source: 10.100.0.0/16 ->  Destination: ANY (Block)

Source:10.200.0.0/16 ->   Destination: ANY (Allow)

 

Let me know how to configure it on R1,R2 gi0/1. The ACL should not affect the OSPF neig & also let me know in which direction the ACL needs to applied.

 

 

8 Replies 8

julian.bendix
Level 3
Level 3

Hi!

There is no attachment added to this post (at least I cannot see one).

Mostly the best option is to configure ACLs closest to the source,
in most cases that would be inbound on the LAN interface.

In that case then:

ip access-list extended <ACL Name>
permit ip 10.100.0.0 0.0.255.255 8.0.0.0 0.255.255.255
permit ip 10.100.0.0 0.0.255.255 4.0.0.0 0.255.255.255
permit ip 10.200.0.0 0.0.255.255 any
deny ip any any
exit

interface <LAN Interface>
ip access-group <ACL Name> in
end

The "deny ip any any" is actually not needed because it is by default at the end of any ACL..

Hope that helps, let me know what you think.

Best regards
Juls

 

Sorry please find the attachment.

I have attached the diagram, pls check and let me know the right AC which needs to be configured

I am thinking to use as below.

 

ip access-list extended <ACL Name>
permit ip 10.100.0.0 0.0.255.255 8.0.0.0 0.255.255.255
permit ip 10.100.0.0 0.0.255.255 4.0.0.0 0.255.255.255
permit ip 10.200.0.0 0.0.255.255 any
exit

 

interface <LAN Interface>
ip access-group <ACL Name> in
end

 

I am not specifying any deny statement. Will there be any implicit deny in the end, if it is not specifically mentioned ?

Hey @RS19 

You can apply your ACL on Interface Gi 0/1 in inbound direction.

Yes there will be an implicit deny at the end of your ACL :)

Let me know if that helps.

BR
Juls

ip access-list extended <ACL Name>
permit ip 10.100.0.0 0.0.255.255 8.0.0.0 0.255.255.255
permit ip 10.100.0.0 0.0.255.255 4.0.0.0 0.255.255.255
permit ip 10.200.0.0 0.0.255.255 any
exit

 

If i apply the above command & since there is implicit deny will it affect the OSPF neig between the devices , since Router is running between Router & the L3 switch

Any inputs or help

the L3#3/L3#4 & R1/R2 are running OSPF & they are part of same network 10.100.0.0/16

So if I use the below ACL on R1 & R2 , I feel the OSPF neigh between L3 Switch & the router will fail.

Would like to know how to avoid this ?

ip access-list extended <ACL Name>
permit ip 10.100.0.0 0.0.255.255 8.0.0.0 0.255.255.255
permit ip 10.100.0.0 0.0.255.255 4.0.0.0 0.255.255.255
deny ip 10.100.0.0 0.0.255.255 any
permit ip 10.200.0.0 0.0.255.255 any
exit
 
interface <LAN Interface>
ip access-group <ACL Name> in
end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: