I've tried that, the single host(source) statement is not functioning. Any idea where might be the most possible reason?

hi! Anyone can help on that?

Thks!

Please show your interface and sub-interface configs.

hi!

Below are the 2 of the interfaces. The access-lists used here are the existing standard access-list which i'm having the same problem with extended access-list. The single host(source) statement is not functioning whereas the wildcard mask's statements are functioning well.

OI-Router-1#sh ip int fa0/0.3

FastEthernet0/0.3 is up, line protocol is up

Internet address is 10.71.10.254/24

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.9

Outgoing access list is 10

Inbound access list is not set

Proxy ARP is enabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is enabled

IP Flow switching is disabled

IP Feature Fast switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Probe proxy name replies are disabled

Policy routing is disabled

Network address translation is disabled

WCCP Redirect outbound is disabled

WCCP Redirect exclude is disabled

BGP Policy Mapping is disabled

OI-Router-1#sh ip int fa0/0

FastEthernet0/0 is up, line protocol is up

Internet address is 10.71.9.254/24

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.9

Outgoing access list is 12

Inbound access list is not set

Proxy ARP is enabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP Feature Fast switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Probe proxy name replies are disabled

Policy routing is disabled

Network address translation is disabled

WCCP Redirect outbound is disabled

WCCP Redirect exclude is disabled

BGP Policy Mapping is disabled

hi! Anyone can help ?

hi! can anyone help to solve my problem on single host(source) access-list problem?

I have gone through the entire history and i think you are not describing your problem very clearly. What are you trying to achieve with the host statement? Kindly post the exact access-list you are configuring and also what you expect it to do. Also post your running-config if you can.

I wanted the host 10.71.9.93 to be able to access all the subnets and i'm trying to replace standard access-list with extended access-list. All the statements are working fine except "access-list 111 permit ip host 10.71.9.93 any" and same goes to the existing access-list. Another question is that, is it ok to have a vlan and ip on the physical interface fa0/0 whereby i got other subinterfaces? For the existing config, there're no encapsulation for the physical interface, so i did add in one but it's not functioning as well. Below are samples of the 2 vlan(i'm intending to replace all the existing access list with extended accesslist-here i'll show you only 2 which i believe the other will be of the same concept) that i intended to replace the existing standard access-list which you can see in my sh run.

fa0/0 - .9 VLAN Inbound office subnet

------------------------------------------------

access-list 111 permit ip host 10.71.9.93 any

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.65

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.64

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.68

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.69

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.70

fa0/0.3 .10 VLAN Inbound Production subnet

---------------------------------------------

access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.66

access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.68

access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.64

access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.65

access-list 113 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.70

SH RUN

======

version 12.1

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router-1

!

enable secret 5 $1$FJJP$1111111112323

enable password cisco

!

!

!

!

!

ip subnet-zero

no ip domain-lookup

!

!

!

!

!

!

interface FastEthernet0/0

description Office VLAN

ip address 10.71.9.254 255.255.255.0

ip access-group 12 out

duplex auto

speed auto

!

interface FastEthernet0/0.1

description Molding VLAN

encapsulation dot1Q 500

ip address 10.71.18.254 255.255.255.0

!

interface FastEthernet0/0.2

description Management VLAN

encapsulation dot1Q 1

ip address 10.71.8.254 255.255.255.0

!

interface FastEthernet0/0.3

description Production VLAN

encapsulation dot1Q 200

ip address 10.71.10.254 255.255.255.0

ip access-group 10 out

!

interface FastEthernet0/0.4

description Production VLAN

encapsulation dot1Q 300

ip address 10.71.11.254 255.255.255.0

ip access-group 11 out

!

interface FastEthernet0/0.5

description Prod VLAN

encapsulation dot1Q 400

ip address 10.71.12.254 255.255.255.0

!

interface FastEthernet0/1

description Interface to Router-2 fa0/0

ip address 10.71.15.1 255.255.255.0

duplex auto

speed auto

!

router rip

network 10.0.0.0

!

ip classless

ip route 128.88.55.128 255.255.255.128 128.88.55.129

ip route 128.88.55.128 255.255.255.128 10.71.12.253

ip route 128.88.81.240 255.255.255.248 128.88.88.89

ip route 128.88.81.240 255.255.255.248 10.71.12.253

ip http server

!

access-list 10 deny 10.71.12.67

access-list 10 permit 10.71.9.93

access-list 10 permit 10.71.9.88

access-list 10 deny 10.71.11.0 0.0.0.255

access-list 10 deny 10.71.9.0 0.0.0.255

access-list 10 permit any

access-list 11 deny 10.71.12.66

access-list 11 permit 10.71.9.93

access-list 11 permit 10.71.9.88

access-list 11 deny 10.71.10.0 0.0.0.255

access-list 11 deny 10.71.9.0 0.0.0.255

access-list 11 permit any

access-list 12 deny 10.71.12.67

access-list 12 deny 10.71.12.66

access-list 12 deny 10.71.10.0 0.0.0.255

access-list 12 deny 10.71.11.0 0.0.0.255

access-list 12 permit any

What subnet did you try to access from 10.71.9.93 that did not work? Are you no return access-list is preventing the communication that is supposedly not working?

I would recommend that you do not put an IP address on the main interface and create another subinterface with the appropriate 802.1q tag to handle that traffic.

hi!

I can only access the .9 vlan which is its own vlan, the rest of the vlan is not accessible from 10.71.9.93.

I've tried to remove the ip and the office vlan from the main interface. From there i created another sub interface and encapsulated it with dot1q for the office vlan. By doing this all the .9 hosts are not able to access or ping other subnet at all.

Any idea what's wrong with it?

hi! sorry i don't understand what you meant by

"Are you no return access-list is preventing the communication that is supposedly not working? "

I missed the word 'sure' so what i meant was "Are you sure no return access-list is preventing the communication that is supposedly not working". What i was refering to was that there maybe another access-list on the destination subnet interface that you are trying to access that is causing this issue.

As for your hosts on .9 subnet not being able to ping any other subnets, i think that is probably because of a configuration error on your trunk to the router. What VLAN are these hosts defined in? Have you configured the appropriate 802.1q tag in your subinterface to allow routing for this VLAN?

These vlan are in the 10.71.9.0 subnet which is vlan 100. I've configured the dot1q encap on the subinterface fa0/0.6 which i just created (removing it from physical interface).

FYI, when i tried to configure one of the .10 host to access any subnets, it;s worked!!!

FYI I've tried to remove all the access-list on all the sub and physical interface, .9 vlan is not able to ping any of the subnet. I'm very sure that i've configured the .9 subinterface with dot1q encap. What else can i check? Pls help thks!