What is this access control list not working

Michael1975 · ‎08-12-2024

I am not sure why my ACL is not working.

Can someone help me understand why my ACL is not working?

Flavio Miranda · ‎08-12-2024

@Michael1975

R1

ip access-list stantard 1

10 permit ip host 172.16.1.1 192.168.1.0 0.0.0.255

20 permit ip host 172.16.2.1 192.168.1.0 0.0.0.255

int Se 0/0/0

ip access-group 1 out

R2

ip access-list extended branchoffices

10 permit ip host 172.16.1.1 192.168.1.0 0.0.0.255

20 permit ip host 172.16.2.1 192.168.1.0 0.0.0.255

int Se 0/0/0

ip access-group 1 in

All ACL have a deny ip any any so you dont need to deny the traffic.

MichaelMcCoy · ‎08-12-2024

Are you sure that you applied the ACL in the right direction on the correct interfaces?

Flavio Miranda · ‎08-12-2024

The exercise does not tell where to apply. For me make sense apply on the serial interface so that I can apply only once. If I were to apply on the Giga would be necessary to apply twice.

Related to the direction, yes, I will block the traffic leaving R1 and arriving in R2.

Actually it is not necessary to apply in both but the exercise is asking.

Michael1975 · ‎08-12-2024

I think i should apply the rule on R2, Gi0/0 and on inbound traffic I will only have to create one ACL.

When using standard ACL, you should create the ACL as close to the destination as possible.

In the command I can only use the source network or source host.

This is the syntax

! Legacy syntax
access-list <number> {permit | deny} <source> [log]

! Modern syntax
ip access-list standard {<number> | <name>}
[<sequence>] {permit | deny} <source> [log]

Michael1975 · ‎08-12-2024

It is tough to see my words in the screen shot.

These are the commands I used in my packet tracer.

I think I applied the ACL to the correct port and the correct direction.

Router 1
en
conf t
router eigrp 100
no auto-summary
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
network 203.0.113.0 0.0.0.3

Router 2
en
conf t
router eigrp 100
no auto-summary
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 203.0.113.0 0.0.0.3

ip access-list standard 1
10 permit host 172.16.1.1
20 permit host 172.16.2.1
30 deny 172.16.2.0 0.0.0.255
40 deny 172.16.1.0 0.0.0.255
permit any

int gi0/0
ip access-group 1 in

Flavio Miranda · ‎08-12-2024

They asked to apply in R1 and R2, dont they? One standard and one named, I dont see it on your resolution. And the direction is wrong. If you apply in the Giga you need to apply out.

when applying ACL always imagine yourself inside the router and them imagine the traffic comming and the traffic leaving.

In the serial of R2 is in and on the Giga is Out. For R1 is the oposite, the Giga is in and the serial is out.

Michael1975 · ‎08-12-2024

I am reading the question different than you.

To me it reads, if the ACL is being created on R1 than use a standard number, if it is on R2 than use a standard name.

Flavio Miranda · ‎08-12-2024

You are wrong again mate. They say apply the ACL in R1 AND R2 , not R1 OR R2.

But, you seems to be convict you are right so I will leave here.

Good luck in your study.

MichaelMcCoy · ‎08-15-2024

I think Flavio is correct, you will need two separate ACLs one named and one numbered.

Joseph W. Doherty · ‎08-15-2024

The way I read the requirement, any standard ACL applied on R1 should be in number format, while any standard ACL applied on R2 should be in named format. Don't see it as a demand where actual ACLs need to be applied, although with such a requirement for each router, would expect the expectation of an ACL, or ACLs, being needed on both routers. (BTW, remember, functionally, a standard ACL is a standard ACL, whether in numbered or named format.)

OP later mentions that "When using standard ACL, you should create the ACL as close to the destination as possible.", well that's a recommendation for efficiency. Anytime you're going to intentionally drop packets, you want to do that ASAP. This to avoid such packets traversing the network needlessly.

However, often we will place ACLs in a less the ideal, for efficiency, locations. For example, perhaps R1 and R2 are in different ASs? Or perhaps, for maintainability, we don't want ACLs scattered all through the network, we want to maintain them at some certain point.

Standard ACLs, since they only can use source IPs, placement may depend on the rule we're trying to create, as unlike an extended ACL, we cannot also use a destination parameter. So, we may need to apply the ACL in a location where a destination requirement might only be met by where the ACL is placed. I.e. an extended ACL might be applied anywhere in the transit path, but not so for a standard ACL.

Your topology has four host networks, so any rule that requires limiting access based on destinations, will require a standard ACL on the router that can make a destination distinction by the interface the ACL is being used on.

So, looking at the first requirement:

Only PC1 and PC3 can access 192.168.1.0/24

(if we could use extended ACLs)

permit ip host 172.16.1.1 192.168.1.0 0.0.0.255

permit ip host 172.16.2.1 192.168.1.0 0.0.0.255

!deny ip any any !remember evey ACL has this as an implict ending ACE

or

permit ip 192.168.1.0 0.0.0.255 host 172.16.1.1

permit ip 192.168.1.0 0.0.0.255 host 172.16.2.1

!deny ip any any !remember evey ACL has this as an implict ending ACE

As already noted, we cannot use a destination, but we can select interfaces, so

on R2's g0/0 (which is the 192.168.1.0/24 network) we can apply, as a named standard ACL, out:

ip access-list standard Rule1

permit host 172.16.1.1

permit host 172.16.2.1

i.e. the above will only allow packets from those two hosts to enter 192.168.1.0/24

Does the above make sense?

As you noted it was the first rule causing you the most trouble, is that enough to get you going, or do you need further help?