How to make ACL that blocks everyone on the network except me?

h h · ‎05-03-2023

So I have ospf set up and I'm following directions that say to "Configure ACLs so that the 172.16.2.0/24 environment can reach your whole environment, but everyone else can only reach your 99 on the web ports." So from what I understand is everyone on the 10.0.0.0 network should only be allowed on interface 1.99 and blocked on everything else, and 172.16.2.0 should be able to access everything. I've tried making the ACLs but the problem is I'm denying the whole 10.0.0.0 network which includes me so I'm blocking myself, I'm on 10.218.0.0.How do I deny everyone else on the network besides myself? I attached the show run of my router so you can see my configuration.

MHM Cisco World · ‎05-03-2023

because you apply the ACL in all interface and reason I think you do that is direction which is OUT
instead change the direction and apply ACL only to interface that this subnet direct connect

Flavio Miranda · ‎05-03-2023

Hi

At which interface you are connected to ?

h h · ‎05-03-2023

The router is connected to the switch through g0/0/1 and I'm using sub interfaces on g0/0/1 correlated to the switch vlans.

Flavio Miranda · ‎05-03-2023

Right, but you are at some subinterface. which one? Which IP address are you with ?

h h · ‎05-03-2023

Well the PC is using sub interface 10 if that's what you mean.

Flavio Miranda · ‎05-03-2023

you mean, you are here?

!
interface GigabitEthernet0/0/1.10
encapsulation dot1Q 10
ip address 10.218.10.1 255.255.255.0
ip helper-address 10.218.20.8
ip access-group 1 out
!

h h · ‎05-03-2023

Well that is the sub interface that the PC is receiving it's address from so I guess so, if that's what you're asking. What exactly do you mean am I there? Kind of confused what you're asking.

Flavio Miranda · ‎05-03-2023

Let me explain. If you are at this subinterface, and considering you should not drop the access, either you do not apply ACL to this subinterface or you add a specific rule for you PC.

if you create an Access list like this.

access-list 1 permit ip host 10.218.10.X any (replace X by your IP)

Considering that the ACL already have a deny any any implicit, you are allowing only you to access everything from this subinterface

h h · ‎05-03-2023

One thing I'm confused about though is how can I permit myself and 172.16.2.0 at the same time on an interface while denying everyone else? Far as I can tell you can only permit 1 address per acl

Flavio Miranda · ‎05-04-2023

If you permit one address you on the ACL, everything else will be denied as the ACL have a "deny any any" at the end.

MHM Cisco World · ‎05-04-2023

access-list 100 permit tcp <IP><IP> eq www established
access-list 100 deny <ip><ip>
access-list 100 permit ip any any

this can solve your issue
the router only allow the traffic initiate inside you network to WEB in subnet you need to block
the direction of this ACL is IN

h h · ‎05-04-2023

For some reason it doesn't let me do the established at the end, says invalid input. Only lets me do any or host

MHM Cisco World · ‎05-04-2023

show me the acl command

h h · ‎05-04-2023

access-list 100 permit tcp 10.0.0.0 0.0.0.255 eq www established