cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Packet tracer (deny and permit)

danielyankey1
Beginner
Beginner

Hello again, having problems with the permit and deny in my router, my problem is I have managed to put this my CLI but i am able to ping from 192.168.10.3 and 4 to other networks when it should be blocked i don't understand can help someone me?

This is what i put in the CLI;

Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 1 deny host 192.168.10.3
Router(config)#access-list 1 deny host 192.168.10.4
Router(config)#access-list 1 permit host 192.168.10.2
Router(config)#int fa0/14
%Invalid interface type and number
Router(config)#int fa0/0
Router(config-if)#ip access-group 1 out
Router(config-if)#exit

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Okay... that explains things.

An IP ACL is only going to function on interfaces that are actually configured to send and receive IP traffic. With no IP address on FastEthernet0/0, the ACL won't do anything because no IP traffic is being sent and received on this interface.

Try removing "ip access-group 1 out" from FastEthernet0/0 and applying "ip access-group 1 in" on FastEthernet0/0.10 instead.

View solution in original post

4 REPLIES 4

ghostinthenet
Rising star
Rising star

I'm assuming that FastEthernet0/0 holds the 192.168.10.0/24 network here. If I'm wrong, please let me know.

When applying ACLs to interfaces, "in" and "out" are always considered from the perspective of the router and not the network segment itself. You may have better luck if you do "ip access-group 1 in" instead of "ip access-group 1 out" here.

Nope i set no ip address on FastEthernet 0/0, I only did FastEthernet 0/0.10 holding 192.168.10.1/28, 0/0.20 holding 192.168.10.17/28 , 0/0.30 holding 192.168.10.33/28, 0/0.30 holding 192.168.10.49/29 and 0/0.50 holding 192.168.10.57/29

 

But shall I try "ip access-group 1 in" instead then?

Okay... that explains things.

An IP ACL is only going to function on interfaces that are actually configured to send and receive IP traffic. With no IP address on FastEthernet0/0, the ACL won't do anything because no IP traffic is being sent and received on this interface.

Try removing "ip access-group 1 out" from FastEthernet0/0 and applying "ip access-group 1 in" on FastEthernet0/0.10 instead.

Thank you very much it worked :D

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: