Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1787
Views
5
Helpful
8
Replies

how to configure ACL on routers?

Go to solution
ahmadqayyum7
Level 1
Level 1

‎06-06-2019 10:37 AM

I am given a topology in which I have to apply ACL. The PCs in the left bottom side are not to be accessed by any other PCs. This was done successfully as follows:

 

access-list 1 deny any

access-list 1 permit any

int fa 0/0

ip access-group 1 out

 

Now the next task is that the top router should be only accessed by the the PCs in the left side and the ones in the left bottom. How do I do that?Untitled.png

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎06-06-2019 11:06 AM

"The PCs in the left bottom side are not to be accessed by any other PCs."

Your ACL also blocks the routers and servers; don't know if you intended that too. Also since your first ACL statement is deny any, the subsequent permit any will never be reached.

"Now the next task is that the top router should be only accessed by the the PCs in the left side and the ones in the left bottom. How do I do that?"

That depends on what you mean by "accessed" and also by your network addressing.

View solution in original post

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to ahmadqayyum7

‎06-09-2019 01:38 PM

(NB: I don't have access to a Cisco router, so my syntax may be correct.)

access-list extended AllowOnlyPings
permit icmp any any type 0
permit icmp any any type 8

Applied the above (named) ACL to the interfaces facing into the switches whose hosts you want to control. Applying for either in or out should do the job but you can also apply the ACL for both in and out.

BTW, if you're wondering, every ACL has an implicit deny all as the last entry.

View solution in original post

8 Replies 8

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎06-06-2019 11:06 AM

"The PCs in the left bottom side are not to be accessed by any other PCs."

Your ACL also blocks the routers and servers; don't know if you intended that too. Also since your first ACL statement is deny any, the subsequent permit any will never be reached.

"Now the next task is that the top router should be only accessed by the the PCs in the left side and the ones in the left bottom. How do I do that?"

That depends on what you mean by "accessed" and also by your network addressing.

0 Helpful

Go to solution
ahmadqayyum7
Level 1
Level 1
In response to Joseph W. Doherty

‎06-06-2019 11:25 AM

by "accessed" I mean that if I ping the top PCs from the PCs in the left side the ping should be successful. also should following be my new configuration for the PCs of left bottom?:
access-list 1 permit any
access-list 1 deny any
int fa 0/0
ip access-group 1 out
I tried this too but now the deny statement is not working.
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to ahmadqayyum7

‎06-07-2019 08:38 AM

When I wrote your original ACL's 2nd ACE wasn't reached, I wasn't suggesting you swap the 1st and 2nd ACEs. I meant you didn't need the 2nd ACE. When you swap them, all again matches on the first ACE, but as it's a permit, nothing is blocked.

Regarding the meaning of "accessed", an ACL can block or only allow "ping" packets. Is that what you want or do you also want to be selected with other traffic? Your original ACL is an all or nothing ACL.
0 Helpful

Go to solution
ahmadqayyum7
Level 1
Level 1
In response to Joseph W. Doherty

‎06-07-2019 10:25 AM

yes by accessed i mean ping. can you please modify the commands?
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to ahmadqayyum7

‎06-08-2019 05:08 AM

To only allow ping or to only not allow ping?
0 Helpful

Go to solution
ahmadqayyum7
Level 1
Level 1
In response to Joseph W. Doherty

‎06-08-2019 07:43 AM

to only allow pings
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to ahmadqayyum7

‎06-09-2019 01:38 PM

(NB: I don't have access to a Cisco router, so my syntax may be correct.)

access-list extended AllowOnlyPings
permit icmp any any type 0
permit icmp any any type 8

Applied the above (named) ACL to the interfaces facing into the switches whose hosts you want to control. Applying for either in or out should do the job but you can also apply the ACL for both in and out.

BTW, if you're wondering, every ACL has an implicit deny all as the last entry.

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-06-2019 11:11 AM

Hello,

if accessing the top router means be  able to telnet/ssh to the router the exercise is asking you to build an ACL that will be applied to the line vty (that are the logical entities that can accept incoming telnet/SSH sessions).

 

For example:

192.168.5.0/24

and

192.168.20.0/24 must be able to telnet to the router:

 

access-list 5 pemit 192.168.5.0 0.0.0.255

access-list 5 permit 192.168.20.0 0.0.0.255

 

line vty 0 4

access-class 5 in

login

Note the ACL is not applied to a physical interface but to the line vty range.

This is usually what is meant with control who can access the router shell.

 

Hope to help

Giuseppe

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card