07-21-2004 09:36 AM - edited 03-02-2019 05:13 PM
hi!
If i'm configuring subinterface on my 2600 router(eg.fa0/0.1, fa0/0.2) will there be any problem if on the physical interface fa0/0 i config it with a ip and ties it with one of my vlan? I need to verify this because i'm having problem in the access-list applied on these sub interfaces. In the access list, the source that include all the clients in a subnet is functioning well but not the source with only single host. eg.
access-list 111 permit ip 10.71.9.0 0.0.0.255 10.71.12.65 --------- OK
access-list 111 permit ip host 10.71.9.93 10.71.10.0
------------this statement with one host as a source is not functioning.
07-22-2004 03:17 AM
Hi,
I believe if you have made 2 sub-interfaces for inter-vlan routing. If this is the case, the try putting access list on respective sub-int.
assigning IP of vlan on physical int. would not make differnce though.
07-22-2004 07:39 AM
I've tried that, the single host(source) statement is not functioning. Any idea where might be the most possible reason?
07-25-2004 08:43 AM
hi! Anyone can help on that?
Thks!
07-25-2004 11:55 AM
Please show your interface and sub-interface configs.
07-25-2004 10:51 PM
hi!
Below are the 2 of the interfaces. The access-lists used here are the existing standard access-list which i'm having the same problem with extended access-list. The single host(source) statement is not functioning whereas the wildcard mask's statements are functioning well.
OI-Router-1#sh ip int fa0/0.3
FastEthernet0/0.3 is up, line protocol is up
Internet address is 10.71.10.254/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is 10
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
OI-Router-1#sh ip int fa0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.71.9.254/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is 12
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
07-27-2004 09:55 PM
hi! Anyone can help ?
08-03-2004 02:45 AM
hi! can anyone help to solve my problem on single host(source) access-list problem?
08-03-2004 02:53 AM
I have gone through the entire history and i think you are not describing your problem very clearly. What are you trying to achieve with the host statement? Kindly post the exact access-list you are configuring and also what you expect it to do. Also post your running-config if you can.
08-04-2004 02:32 AM
I wanted the host 10.71.9.93 to be able to access all the subnets and i'm trying to replace standard access-list with extended access-list. All the statements are working fine except "access-list 111 permit ip host 10.71.9.93 any" and same goes to the existing access-list. Another question is that, is it ok to have a vlan and ip on the physical interface fa0/0 whereby i got other subinterfaces? For the existing config, there're no encapsulation for the physical interface, so i did add in one but it's not functioning as well. Below are samples of the 2 vlan(i'm intending to replace all the existing access list with extended accesslist-here i'll show you only 2 which i believe the other will be of the same concept) that i intended to replace the existing standard access-list which you can see in my sh run.
fa0/0 - .9 VLAN Inbound office subnet
------------------------------------------------
access-list 111 permit ip host 10.71.9.93 any
access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.65
access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.64
access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.68
access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.69
access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.70
fa0/0.3 .10 VLAN Inbound Production subnet
---------------------------------------------
access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.66
access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.68
access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.64
access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.65
access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.70
SH RUN
======
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router-1
!
enable secret 5 $1$FJJP$1111111112323
enable password cisco
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
!
!
!
!
!
interface FastEthernet0/0
description Office VLAN
ip address 10.71.9.254 255.255.255.0
ip access-group 12 out
duplex auto
speed auto
!
interface FastEthernet0/0.1
description Molding VLAN
encapsulation dot1Q 500
ip address 10.71.18.254 255.255.255.0
!
interface FastEthernet0/0.2
description Management VLAN
encapsulation dot1Q 1
ip address 10.71.8.254 255.255.255.0
!
interface FastEthernet0/0.3
description Production VLAN
encapsulation dot1Q 200
ip address 10.71.10.254 255.255.255.0
ip access-group 10 out
!
interface FastEthernet0/0.4
description Production VLAN
encapsulation dot1Q 300
ip address 10.71.11.254 255.255.255.0
ip access-group 11 out
!
interface FastEthernet0/0.5
description Prod VLAN
encapsulation dot1Q 400
ip address 10.71.12.254 255.255.255.0
!
interface FastEthernet0/1
description Interface to Router-2 fa0/0
ip address 10.71.15.1 255.255.255.0
duplex auto
speed auto
!
router rip
network 10.0.0.0
!
ip classless
ip route 128.88.55.128 255.255.255.128 128.88.55.129
ip route 128.88.55.128 255.255.255.128 10.71.12.253
ip route 128.88.81.240 255.255.255.248 128.88.88.89
ip route 128.88.81.240 255.255.255.248 10.71.12.253
ip http server
!
access-list 10 deny 10.71.12.67
access-list 10 permit 10.71.9.93
access-list 10 permit 10.71.9.88
access-list 10 deny 10.71.11.0 0.0.0.255
access-list 10 deny 10.71.9.0 0.0.0.255
access-list 10 permit any
access-list 11 deny 10.71.12.66
access-list 11 permit 10.71.9.93
access-list 11 permit 10.71.9.88
access-list 11 deny 10.71.10.0 0.0.0.255
access-list 11 deny 10.71.9.0 0.0.0.255
access-list 11 permit any
access-list 12 deny 10.71.12.67
access-list 12 deny 10.71.12.66
access-list 12 deny 10.71.10.0 0.0.0.255
access-list 12 deny 10.71.11.0 0.0.0.255
access-list 12 permit any
08-04-2004 08:02 AM
What subnet did you try to access from 10.71.9.93 that did not work? Are you no return access-list is preventing the communication that is supposedly not working?
I would recommend that you do not put an IP address on the main interface and create another subinterface with the appropriate 802.1q tag to handle that traffic.
08-04-2004 09:36 AM
hi!
I can only access the .9 vlan which is its own vlan, the rest of the vlan is not accessible from 10.71.9.93.
I've tried to remove the ip and the office vlan from the main interface. From there i created another sub interface and encapsulated it with dot1q for the office vlan. By doing this all the .9 hosts are not able to access or ping other subnet at all.
Any idea what's wrong with it?
08-04-2004 09:42 AM
hi! sorry i don't understand what you meant by
"Are you no return access-list is preventing the communication that is supposedly not working? "
08-04-2004 09:54 AM
I missed the word 'sure' so what i meant was "Are you sure no return access-list is preventing the communication that is supposedly not working". What i was refering to was that there maybe another access-list on the destination subnet interface that you are trying to access that is causing this issue.
As for your hosts on .9 subnet not being able to ping any other subnets, i think that is probably because of a configuration error on your trunk to the router. What VLAN are these hosts defined in? Have you configured the appropriate 802.1q tag in your subinterface to allow routing for this VLAN?
08-27-2004 09:00 PM
These vlan are in the 10.71.9.0 subnet which is vlan 100. I've configured the dot1q encap on the subinterface fa0/0.6 which i just created (removing it from physical interface).
FYI, when i tried to configure one of the .10 host to access any subnets, it;s worked!!!
FYI I've tried to remove all the access-list on all the sub and physical interface, .9 vlan is not able to ping any of the subnet. I'm very sure that i've configured the .9 subinterface with dot1q encap. What else can i check? Pls help thks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide