Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1457
Views
0
Helpful
2
Replies

ASL and Sub Interfaces

netracernz
Level 1
Level 1

‎09-30-2011 11:32 PM - edited ‎03-04-2019 01:47 PM

I am trying to secure sub interfaces on a 2600 Router

interface FA0/1.1

No Access-group

Interface FA0/1.2

IP Access-group 110 out

Access-list 110 deny ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

Access-list 110 permit ip any any

This works but it blocks traffic both ways I only want to block one, I dont want FA0/1.2 to be able to access FA0/1.1 but I want all traffic to be allowed to go the other way

Any Suggestions would be great if you need more info on the network setup please ask

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎10-01-2011 07:38 AM

Clinton

What you are attempting to accomplish is more difficult than it appears at first. The difficulty is that you are attempting to block requests from one VLAN to the other but the access list is also blocking responses going back. What you really want is something that can do statefull inspection and so could distinguish a request going over which you do not want to work from a response going back which you do want to work. That is difficult to accomplish with access lists. For TCP traffic you can use the established parameter for this but there is not an easy way to do it for UDP traffic.

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick
0 Helpful

netracernz
Level 1
Level 1
In response to Richard Burts

‎10-01-2011 03:02 PM

Thanks Burt

I am a newbie to cisco, have you got any suggestion on where to get some basic Idea on what I need to do to accomplish what I want in the way of securing my Vlans

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card