Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2023
Views
25
Helpful
10
Replies

how to solve this acl issue ?

Go to solution
jordan-jj
Level 1
Level 1

‎06-10-2017 11:11 AM - edited ‎03-05-2019 08:41 AM

I want to block 192.168.3.0 network from reaching network 192.168.2.129  of Router 3

I tried below acl on R3 

access-list 51 deny 192.168.3.0 0.0.0.255

access-list 51 permit any

Interface eth1/1  =ip access-group 51 in

still  192.168.3.0 can reach my network. how to solve issue here  ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎06-11-2017 12:51 AM

Hello,

that is the way IOS is designed: an ACL can never block packets generated by the router itself, it can only block packets which transit through the router, not packets generated by the router.

I have uploaded a working pkt (see attachment).

View solution in original post

acl_out.zip
0 Helpful
10 Replies 10

Go to solution
Georg Pauwen
VIP
VIP

‎06-10-2017 11:42 AM

Hello,

try:

access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.127
access-list 101 permit ip any any

and apply the access list 'out':

Interface eth1/1 =ip access-group 101 out

If that doesn't work, post the Packet Tracer file (ZIP it first, otherwise you cannot upload it).

Go to solution
jordan-jj
Level 1
Level 1
In response to Georg Pauwen

‎06-10-2017 12:11 PM

Is it possible in a standard ACL,

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to jordan-jj

‎06-10-2017 12:16 PM

Hello,

standard ACL should work, try and apply it out:

Interface eth1/1 =ip access-group 51 out

That said, it SHOULD work. Post the zipped .pkt file, there might be something in your configuration that causes problems.

Go to solution
jordan-jj
Level 1
Level 1
In response to Georg Pauwen

‎06-10-2017 12:21 PM

Standard ACL seems working, but i can ping to the gateway  interface of of router R3, 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to jordan-jj

‎06-10-2017 12:24 PM

Hello,

with the standard access list applied out, you can ping from where to where ?

Go to solution
jordan-jj
Level 1
Level 1
In response to Georg Pauwen

‎06-10-2017 12:38 PM

i can ping to the gateway of network 192.168.2.128 in R3 but not to that network. i thought that acl will block everything for that network

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to jordan-jj

‎06-10-2017 12:58 PM

Hello,

where are you pinging from ?

Your access list blocks access from 192.168.3.0/24 to 192.168.2.128/25, since it is applied to Ethernet1/1.

Post the .pkt file, that will make it easier to explain.

Go to solution
Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎06-11-2017 12:51 AM

Hello,

that is the way IOS is designed: an ACL can never block packets generated by the router itself, it can only block packets which transit through the router, not packets generated by the router.

I have uploaded a working pkt (see attachment).

acl_out.zip
0 Helpful

Go to solution
jordan-jj
Level 1
Level 1
In response to Georg Pauwen

‎06-11-2017 12:30 PM

If i want to block reaching to that interface here, Ethernet 1/1 of router R3  can i create another access list for reaching that interface in R3. does that make sense. 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to jordan-jj

‎06-11-2017 02:54 PM

Hello,

to block traffic to Ethernet1/1 on router 3, you would need to configure local policy routing. This would look as following:

ip local policy route-map LOCAL_TRAFFIC_TO_NULL
!
access-list 101 permit ip 192.168.2.128 0.0.0.127 192.168.3.0 0.0.0.255
!
route-map LOCAL_TRAFFIC_TO_NULL permit 10
 match ip address 101
 set interface Null0

However, Packet Tracer does not support the commands required, if you know and use GNS3, you can try and test it.

Top