Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
0
Helpful
3
Replies

ACL problem

dkblee
Level 1
Level 1

‎07-13-2006 09:07 AM - edited ‎03-03-2019 04:03 AM

Hi!

I got 2 subinterfaces configured with dot1q and using extended acl(both in bound). What i'm trying to achieve here is that host from subinterface A(10.1.9.X subnet) is able to access host on subinterface B(10.1.10.X subnet), but not from 10.1.10.x to 10.1.9.x.

I've tried the following acl on one of the host:

access-list 111 permit ip host 10.1.9.100 any (Applied inbound on subinterface A)

access-list 112 permit tcp host 10.1.10.100 10.71.9.100 established (Applied inbound on subinterface b)

Once the 112 config is applied on subinterface B, i noticed that i can't ping from either subnet. Any idea how to achieve what i required above?

Another question is, what's the different between "Request Time Out" and "Reply from 10.x.x.x, Destination host unreachable"? Thanks.

Labels:
0 Helpful
3 Replies 3

gpulos
Level 8
Level 8

‎07-13-2006 09:48 AM

try the following ACL(s):

access-list 111 permit ip host 10.1.9.100 host 10.1.10.100 established

access-list 111 permit ip host 10.1.9.100 any (apply this inbound to INT-A)

this should allow 10.1.9.100 to make ip connections to 10.1.10.100 as well as allow 10.1.10.100 to send packets back to 10.1.9.100 for established TCP sessions only. (while still allowing all other subnets to establish connections with 10.1.9.100)

also, RequestTimedOut means the router attempted to forward the packet and got no response/ack.

Reply from x.x.x.x: Desintation Unreachable means that the router has received an ICMP when it forwarded the packet. this ICMP was sent back to the forwarding router, from the last hop router that received the packet, to state that the destination network/host does not exist in the routing table so it did not know where to forward the packet and had to drop it.

0 Helpful

dkblee
Level 1
Level 1
In response to gpulos

‎07-13-2006 10:34 AM

Hi! I haven't got the chance to try that out. Would the "established" command work on IP? or just TCP? Is the command given above, the normal way to achieve this one way initialization only requirement?

For the "request time out" and "reply from x.x.x.x Destination unreahable", what which would be a better way of filtering traffic? eg. if the message "reply from x.x.x.x" Destination Unreachable" is from that subnet's gateway?

Thanks.

0 Helpful

gpulos
Level 8
Level 8
In response to dkblee

‎07-14-2006 03:03 AM

'established' is for a TCP session as tcp is connection oriented. (the session is therefore established if the packet has the ACK, PSH, RST, SYN, FIN or URG bits set)

you requested a one-way restriction, so this will provide a one-way restiction.

(also, you can use "access-list 111 deny ip host 10.1.9.100 host 10.1.10.100" after the first entry; think i forgot that)

for your last question, yes, filter as close to the source as possible. (this prevents other parts of the network from allocating resources for packets that are only going to get dropped further out)

if you send out a packet and are getting a destUnreachable from 4 hops away, and you know that you cannot get that destination to respond, and you would like to keep the 3 previous hops from having to process packets that will be dropped, yes, filter at your router(1st hop), closest to the source. (does this make sense?)

0 Helpful
Customers Also Viewed These Support Documents