Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23144
Views
0
Helpful
4
Replies

Packet tracer (deny and permit)

Go to solution
danielyankey1
Level 1
Level 1

‎12-19-2014 06:48 AM - edited ‎03-05-2019 12:25 AM

Hello again, having problems with the permit and deny in my router, my problem is I have managed to put this my CLI but i am able to ping from 192.168.10.3 and 4 to other networks when it should be blocked i don't understand can help someone me?

This is what i put in the CLI;

Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 1 deny host 192.168.10.3
Router(config)#access-list 1 deny host 192.168.10.4
Router(config)#access-list 1 permit host 192.168.10.2
Router(config)#int fa0/14
%Invalid interface type and number
Router(config)#int fa0/0
Router(config-if)#ip access-group 1 out
Router(config-if)#exit

 

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ghostinthenet
Level 7
Level 7
In response to danielyankey1

‎12-19-2014 08:09 AM

Okay... that explains things.

An IP ACL is only going to function on interfaces that are actually configured to send and receive IP traffic. With no IP address on FastEthernet0/0, the ACL won't do anything because no IP traffic is being sent and received on this interface.

Try removing "ip access-group 1 out" from FastEthernet0/0 and applying "ip access-group 1 in" on FastEthernet0/0.10 instead.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ghostinthenet
Level 7
Level 7

‎12-19-2014 07:41 AM

I'm assuming that FastEthernet0/0 holds the 192.168.10.0/24 network here. If I'm wrong, please let me know.

When applying ACLs to interfaces, "in" and "out" are always considered from the perspective of the router and not the network segment itself. You may have better luck if you do "ip access-group 1 in" instead of "ip access-group 1 out" here.

0 Helpful

Go to solution
danielyankey1
Level 1
Level 1
In response to ghostinthenet

‎12-19-2014 07:56 AM

Nope i set no ip address on FastEthernet 0/0, I only did FastEthernet 0/0.10 holding 192.168.10.1/28, 0/0.20 holding 192.168.10.17/28 , 0/0.30 holding 192.168.10.33/28, 0/0.30 holding 192.168.10.49/29 and 0/0.50 holding 192.168.10.57/29

 

But shall I try "ip access-group 1 in" instead then?

0 Helpful

Go to solution
ghostinthenet
Level 7
Level 7
In response to danielyankey1

‎12-19-2014 08:09 AM

Okay... that explains things.

An IP ACL is only going to function on interfaces that are actually configured to send and receive IP traffic. With no IP address on FastEthernet0/0, the ACL won't do anything because no IP traffic is being sent and received on this interface.

Try removing "ip access-group 1 out" from FastEthernet0/0 and applying "ip access-group 1 in" on FastEthernet0/0.10 instead.

0 Helpful

Go to solution
danielyankey1
Level 1
Level 1
In response to ghostinthenet

‎12-19-2014 10:10 AM

Thank you very much it worked :D

0 Helpful
Customers Also Viewed These Support Documents