Re: ACL in 2600 Router

dkblee · ‎07-15-2004

hi!

can anyone help to check why is it my access lists not functioning when i tried to applied both access-lists listed below(fa0/0 and fa0/0.3), whereas if i just applied the access-list on interface fa0/0 inbound(as configured below) it functioning well. The 10.71.9.88 and 10.71.9.93 are able to access .10 subnet and the two .12 hosts. All other .9 host are not able to access any ohter subnet except that two .12 hosts.

The problem came when i tried to apply the access-list listed below on fa0/0.3. It causes, the access-list on fa0/0 not functioning as well. Anyone can pls check on that and correct me. Thks!

Requirements

=============

1) .9 subnet are able to access only 10.71.12.65 and 10.71.12.68 subnet except host .9.93 and .9.88 whereby there can access .10 and .11 subnet

2) .10 vlan can only access 10.71.12.66 and 10.71.12.68. It's restricted from accessing .9, .11 and all other subnets.

fa0/0 - .9 vlan inbound

=========================

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.65

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.68

access-list 111 permit ip host 10.71.9.93 10.71.10.0 0.0.0.255

access-list 111 permit ip host 10.71.9.88 10.71.10.0 0.0.0.255

access-list 111 deny ip any any

fa0/0.3 - .10 vlan inbound

===========================

access-list 112 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.66

access-list 112 permit ip 10.71.10.0. 0.0.0.255 host 10.71.12.68

access-list 112 deny ip any any

thisisshanky · ‎07-15-2004

I guess, this was discussed previously in another post of yours. Can you paste your show run as well ?

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

dkblee · ‎07-16-2004

hi! Below is the sh run output. I just replaced the access-list 12 with

===================================================

with access-list 111 permit ip host 10.71.9.93 any

access-list 111 permit ip host 10.71.9.130 any

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.65

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.64

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.68

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.69

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.70

====================================================

and replaced access list 10 with the following

==================================================

access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.66

access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.68

access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.64

access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.65

access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.70

===================================================

version 12.1

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname OI-Router-1

!

enable secret xxxx

!

ip subnet-zero

no ip domain-lookup

!

interface FastEthernet0/0

description 6th Serangoon North Office VLAN

ip address 10.71.9.254 255.255.255.0

ip access-group 12 out

duplex auto

speed auto

!

interface FastEthernet0/0.1

description Molding VLAN

encapsulation dot1Q 500

ip address 10.71.18.254 255.255.255.0

!

interface FastEthernet0/0.2

description North Management VLAN

encapsulation dot1Q 1

ip address 10.71.8.254 255.255.255.0

!

interface FastEthernet0/0.3

description North Europa Production VLAN

encapsulation dot1Q 200

ip address 10.71.10.254 255.255.255.0

ip access-group 10 out

!

interface FastEthernet0/0.4

description DHOG & Mirage Production VLAN

encapsulation dot1Q 300

ip address 10.71.11.254 255.255.255.0

ip access-group 11 out

!

interface FastEthernet0/0.5

description Serangoon North VLAN

encapsulation dot1Q 400

ip address 10.71.12.254 255.255.255.0

!

interface FastEthernet0/1

description Loacation - 6th Serangoon : Interface to OI-Router-2 fa0/0

ip address 10.71.15.1 255.255.255.0

duplex auto

speed auto

!

router rip

network 10.0.0.0

!

ip classless

ip route 128.88.56.121 255.255.255.128 128.88.56.129

ip route 128.88.56.121 255.255.255.128 10.71.22.253

ip http server

!

access-list 10 deny 10.71.12.67

access-list 10 permit 10.71.9.93

access-list 10 permit 10.71.9.88

access-list 10 deny 10.71.11.0 0.0.0.255

access-list 10 deny 10.71.9.0 0.0.0.255

access-list 10 permit any

access-list 11 deny 10.71.12.66

access-list 11 permit 10.71.9.93

access-list 11 permit 10.71.9.88

access-list 11 deny 10.71.10.0 0.0.0.255

access-list 11 deny 10.71.9.0 0.0.0.255

access-list 11 permit any

access-list 12 deny 10.71.12.67

access-list 12 deny 10.71.12.66

access-list 12 deny 10.71.10.0 0.0.0.255

access-list 12 deny 10.71.11.0 0.0.0.255

access-list 12 permit any

banner login ^C OI-Router-1 ^C

banner motd ^C You have entered a secured system. Authorised access only!!! ^C

d_pinto · ‎07-16-2004

The fact that you're sub-interfacing and have an address on the physical interface itself doesn't seem right to me.....

I believe, and I could be wrong, that you shouldn't have an ip address on fa0/0 if you're subinterfacing... If you were to move that segment from fa0/0 to something like fa0/0.5 and try adding the acccess list again it may work... right now you're not tagging that segment (10.71.9.254/24) with dot1q info

I'd be curious to see if this fixes your prob....

-DP

dkblee · ‎07-21-2004

hi!

I've tested on 2 of the interfaces except fa0/0, it work fine for the statement where the source ip is a range of ip eg. 10.71.10.0 0.0.0.255, but when i try putting in only one host for the source. That source statement doesn't work.

any idea?

dkblee · ‎07-22-2004

hi!

Anyone here can help to solve my problem above? Thanks in advance