06-09-2022 05:15 AM - last edited on 08-15-2022 11:46 PM by Translator
I have three routers and three subnets
Central router has the following ACL
access-list 20 deny host 185.140.150.1
access-list 20 deny host 175.100.125.1
access-list 20 deny host 192.168.10.1
access-list 20 permit any
When i ping from 185.140.150.1 to 175 and 192 the ping should blocked but
C:\>ping 175.100.125.1
Pinging 175.100.125.1 with 32 bytes of data:
Reply from 175.100.125.1: bytes=32 time=13ms TTL=125
Reply from 175.100.125.1: bytes=32 time=16ms TTL=125
Reply from 175.100.125.1: bytes=32 time=2ms TTL=125
Reply from 175.100.125.1: bytes=32 time=2ms TTL=125
Ping statistics for 175.100.125.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 16ms, Average = 8ms
C:\>ping 192.168.10.1
Pinging 192.168.10.1 with 32 bytes of data:
Reply from 15.1.1.2: Destination host unreachable.
Reply from 15.1.1.2: Destination host unreachable.
Reply from 15.1.1.2: Destination host unreachable.
Reply from 15.1.1.2: Destination host unreachable.
When i ping from 175.100.125.1
C:\>ping 185.140.150.1
Pinging 185.140.150.1 with 32 bytes of data:
Reply from 185.140.150.1: bytes=32 time=14ms TTL=125
Reply from 185.140.150.1: bytes=32 time=14ms TTL=125
Reply from 185.140.150.1: bytes=32 time=2ms TTL=125
Reply from 185.140.150.1: bytes=32 time=2ms TTL=125
Ping statistics for 185.140.150.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 14ms, Average = 8ms
C:\>ping 192.168.10.1
Pinging 192.168.10.1 with 32 bytes of data:
Reply from 16.1.1.1: Destination host unreachable.
Reply from 16.1.1.1: Destination host unreachable.
Reply from 16.1.1.1: Destination host unreachable.
Reply from 16.1.1.1: Destination host unreachable.
why is traffic being allowed between 185 and 175 subnet?
Solved! Go to Solution.
06-11-2022 07:51 AM - last edited on 08-15-2022 11:58 PM by Translator
Any any
Meaning
Any source
Any destiantion
there are two type of ACL
one
standard ACL use only source <- here we use
permit ip any
other
extended ACL use source and destination <- here we use
permit ip any any
06-09-2022 05:24 AM - last edited on 08-15-2022 11:48 PM by Translator
Hi
You need to provide information about the interfaces and how the
access-list
is appied. In order to reach all those IPs the router use the same interface?
06-09-2022 06:13 AM
Thanks Flavio, this is the config. What I have been given here by a cisco VIP is the deny. If i apply to an interface , which inteface and what is general rule about in/out?
06-09-2022 06:41 AM
Do you mind to share the PacketTrace file so that will be much easier to help?
You need to zip it before attach.
06-09-2022 07:16 AM
It is easier for you but it removes a lot of other people who do not use PT and in addition the posted solution is useless to anyone without PT.
Better for the community if configurations and diagrams are posted.
Jon
06-09-2022 08:57 AM
06-09-2022 05:25 AM
Two issue here
First you not apply access group under any interface
Second the both router must know each prefix connect, i.e. you need routing protocol.
06-09-2022 06:00 AM
i suggest you to go through study guides and learn things first and then try. if thing are not going OK, try to find the issue and if the issue still persists, that point you can ask from community. put some effort on learning
06-09-2022 06:08 AM
You say put some effort in, I have been at this for two years. CISCO literature may as well be written in a foreign language and the training material is dire. the community is there to help that's why I ask the community, usually the community is helpful and polite. Maybe you should put some effort on manners
06-09-2022 06:10 AM - edited 06-09-2022 06:14 AM
you have misunderstood what i mean. anyway,
check below link
it clearly guides what is ACL and how it uses. good luck
if you need more help let me know i will share some clear guides
06-09-2022 06:17 AM
hello
“When i ping from 185.140.150.1 to 175 and 192 the ping should blocked but ”
Not necessarily it depends on how and where you’ve applied that access list and in what direction. Can you elaborate on your current setup
06-09-2022 06:22 AM
Hi Paul, thanks for the question. I was told by the CISCO VIP doing our training to apply it only on the central router. I am, reading a tonne of collateral but nothing is really simple here. I get the concept of the ACL. I understand it needs to be applied in the route but is it applied on outgoing or incoming interface from device or router?
Which int am I applying this to and I am applying in or out?
Thanks
06-09-2022 06:39 AM
1. 1st thing is we need to know which traffic we are going to block or allow.
then crate a access list as below. this will block telnet traffic from 192.168.1.1 to any address from first line. then allows all other traffic from second line.
ip access-list extended blocktelnet deny tcp host 192.168.1.1 any eq telnet
permit any any
2. then we need to map access list to some router interface in correct direction.
this code allied to interface gig 0/1 and it is applied to inbound traffic. that means any traffic coming into the router fill filter according to access list named blocktelnet as per this example. if you want to filter traffic from router to outside of interface, you can use out command upon in keyword.
interface gigabitethernet 0/1 ip access-group blocktelnet in
3. when selecting which interface to apply access list is bit tricky.
extended ACLs (which can select more parameters and be more specific) need to apply more closer to source. more general selection ACLs are can apply more closer to destination. also we can apply for the place we want as per requirement.
if you are planning to block icmp traffic between two hosts, you can apply blocking ACL closer to source or destination router. if you are applying that to closest router to source PC, better apply it to interface which connected to PC/switch of source network and select inbound.
if you are applying ACL closer to destination PC, generally you can apply that to interface of router which connected to destination network. when select interface to apply ACL, we can apply it to the interface connected directly in to destination network as outbound direction. also we can apply ACL to inbound of other interfaces in same router.
hope you understood the basic traffic pattern filtering way.
06-09-2022 07:14 AM
Because the acl is a standard acl then for it to work you need to apply the acl inbound on all three of the router interfaces.
Jon
06-09-2022 07:53 AM
Thanks Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide