I seem to be having a problem wrapping my head around what is going on or what to do.
What I have is two subinterfaces:
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 10.10.2.254 255.255.255.0
ip access-group vlan10_in in
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address 10.10.3.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
Now what I am trying to do is block the 10.10.3.x network from accessing the 10.10.2.x network BUT I want the 10.10.2.x network to be able to access the 10.10.3.x network.
The access list I setup is:
Extended IP access list vlan10_in
10 deny ip 10.10.2.0 0.0.0.255 10.10.3.0 0.0.0.255 log (7 matches)
20 permit ip any any log
Now I setup logging to try to understand this better. When I try to PING from 10.10.3.x to 10.10.2.x I get:
*Dec 15 18:30:34.553: %SEC-6-IPACCESSLOGDP: list vlan10_in denied icmp 10.10.2.100 -> 10.10.3.100 (0/0), 1 packet
But when I try from 10.10.2.x PING 10.10.3.x I get nothing. The ping actually shows a "Destination net unreachable".
I know my logic is wrong because its not working.. but I'm trying to understand this better.
Without this access-list/group everything works fine. Both networks can get to the NET and see each other.
已解决! 转到解答。
Yes, your logic is incorrect.
The regular ACL could not fit your requirement.
You have to use IOS firewall feature to realize this.
Here is an example.
I don't have rights to your link
Here is another one
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
I hope it helps.
PK