Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2081
Views
5
Helpful
24
Replies

ACL not denying traffic

sejamc71
Level 1
Level 1

‎02-24-2023 11:42 AM

I don't have a lot of experience with ACLs and I am trying to create an ACL on a switch that will block a specific subnet from accessing the other networks on the switch.

Network management IP of switches 10.0.22.0/23

switch A Mgmt IP 10.0.22.1

Switch L3 interfaces 172.16.22.0/23 - wired, 10.0.22.0/23-wireless mgmt, 10.0.24.0/23 - wireless and 10.10.24.0/23 - Guest

I want to create an ACL that will stop 10.10.24.0/23 from talking to the other subnets. I came up with the following, but it doesn't seem to be working.

L3 Interface Config

interface GigabitEthernet0/0/2.1124
description SBI-Guest
encapsulation dot1Q 1124
ip address 10.10.24.1 255.255.254.0
ip access-group Guest-Access in
ip helper-address 172.16.22.24
no ip redirects
!

ACL config

ip access-list extended Guest-Access
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain
deny ip 10.10.24.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.10.24.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.10.24.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
permit tcp any any

Any thoughts on why this is not working?

 

Labels:
0 Helpful
24 Replies 24

sejamc71
Level 1
Level 1

‎02-24-2023 01:53 PM

ok, I see what you mean. I removed and readded the ACL

Extended IP access list Guest-Access
10 permit udp any any eq bootpc
20 permit udp any any eq bootps
30 permit udp any any eq domain
40 deny ip 10.10.24.0 0.0.1.255 10.0.0.0 0.255.255.255
50 deny ip 10.10.24.0 0.0.1.255 172.16.0.0 0.15.255.255
60 deny ip 10.10.24.0 0.0.1.255 192.168.0.0 0.0.255.255
70 permit ip any any
80 permit tcp any any

 

interface GigabitEthernet0/0/2.1124
description SBI-Guest
encapsulation dot1Q 1124
ip address 10.10.24.1 255.255.254.0
ip helper-address 172.16.22.24
no ip redirects
ip access-group Guest-Access out
!

MHM Cisco World
VIP
VIP
In response to sejamc71

‎02-24-2023 01:55 PM

NOW check again, and show access-list give you good indication which line is match in your ACL 
good luck 

0 Helpful

sejamc71
Level 1
Level 1

‎02-24-2023 01:58 PM

Frustrating, Did a show and then a ping from server. Still can ping. Thanks for trying

sh access-lists

Extended IP access list Guest-Access
10 permit udp any any eq bootpc
20 permit udp any any eq bootps
30 permit udp any any eq domain
40 deny ip 10.10.24.0 0.0.1.255 10.0.0.0 0.255.255.255
50 deny ip 10.10.24.0 0.0.1.255 172.16.0.0 0.15.255.255
60 deny ip 10.10.24.0 0.0.1.255 192.168.0.0 0.0.255.255
70 permit ip any any
80 permit tcp any any

0 Helpful

MHM Cisco World
VIP
VIP
In response to sejamc71

‎02-24-2023 02:01 PM

ip access-group Guest-Access out <<- add it again under the subinterface 

0 Helpful

sejamc71
Level 1
Level 1

‎02-24-2023 02:10 PM

I did, no change.

Current configuration : 212 bytes
!
interface GigabitEthernet0/0/2.1124
description SBI-Guest
encapsulation dot1Q 1124
ip address 10.10.24.1 255.255.254.0
ip helper-address 172.16.22.24
no ip redirects
ip access-group Guest-Access out

0 Helpful

MHM Cisco World
VIP
VIP
In response to sejamc71

‎02-24-2023 02:14 PM

OK 
only add new ACL with new name but same lines 
let called it Guest-Allow 
and apply it to subinterface. 
since we delete the old one sometime the router still use OLD even if we change some line.

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎02-24-2023 02:23 PM

any update ?

0 Helpful

sejamc71
Level 1
Level 1

‎02-24-2023 03:48 PM

I was alble to get it to work I think. I'm monitoring to make sure dhcp services are still be provided. I changed my ACL to this

Extended IP access list Guest-Access1
10 permit udp any any eq bootpc
20 permit udp any any eq bootps
30 permit udp any any eq domain
40 deny ip 172.16.0.0 0.15.255.255 10.10.24.0 0.0.1.255
50 permit ip any any

 

and I had to apply it to the 172.16. interface

interface GigabitEthernet0/0/2.22
description SBI DATA
encapsulation dot1Q 22
ip flow monitor FLOW1 input
ip flow monitor FLOW1 output
ip address 172.16.22.1 255.255.254.0
no ip redirects
ip access-group Guest-Access1 in
!

from the server at 172.16.22.24, I am now no longer able to ping the 10.10.24.0 subnet

 

 

 

 

 

0 Helpful

MHM Cisco World
VIP
VIP

‎02-24-2023 03:58 PM - edited ‎02-24-2023 03:59 PM

your previous post delete, but I read it 
I glad it work now 
and Yes sure you must monitoring the traffic special DHCP because you have ip helper under interface. 
good luck friend 

0 Helpful

paul driver
VIP
VIP

‎02-25-2023 01:16 AM

Hello

@sejamc71 wrote:

This is what I have

ip access-list extended Guest-Access
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain
permit ip any any
permit tcp any any
deny ip 10.10.24.0 0.0.1.255 10.0.0.0 0.255.255.255
deny ip 10.10.24.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 10.10.24.0 0.0.1.255 192.168.0.0 0.0.255.255


Change that ACL a little and test again, applying it outbound on that routed

ip access-list extended Guest-Access
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any

int x/x
ip access-group Guest-Access out 

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card