10-18-2011 07:08 PM - edited 03-07-2019 02:54 AM
I have a vlan that I only want to permit Internet access, and block all traffic to all other vlans, this is what i have:
interface Vlan10
description guest
ip address 10.60.6.1 255.255.255.0
ip access-group OUT in
end
ip access-list extended OUT
deny ip 10.60.6.0 0.0.0.255 172.18.65.0 0.0.0.255
permit ip any any
I want 10.60.6.0 not to have access to 172.18.65.0 and only have access to the Internet. but with the setup above when i ping
172.18.65.0 from 10.60.6.1 being the source the pings go through and the permit ip any any counter increments. Why?
10-18-2011 07:44 PM
You are encountering a behavior that has been in place for a very long time but is not so clearly documented. An access list assigned to filter traffic outbound on an interface will not filter traffic that was generated by the router itself. If the interface address is the source address of the packet then an outbound access list will not filter it. If you test from a device connected in that vlan then you should find that the access list does exactly what you expect it to do.
HTH
Rick
10-18-2011 10:17 PM
Hi,
Use extended access-list.
example for testing first will be
access-list 101 deny icmp 10.60.6.0 0.0.0.255 172.18.65.0 0.0.0.255 echo
access-list 101 deny icmp 10.60.6.0 0.0.0.255 172.18.65.0 0.0.0.255 echo-reply
and then check if your ping with source address.
If, it works then, remove the test access-list and add the following
access-list 101 deny tcp
access-list 101 deny tcp
etc..
don't forget to add permit all in the end.
Regards,
Smitesh
10-18-2011 11:26 PM
Hi,
If you are trying to ping 172.18.65.0 from source interface 10.60.6.1 ping will be success as the router L3 interface can be able to ping any other L3 interface.
Try to ping from any host in 10.60.6.0 to 172.18.65.0 it wont ping as per your access-list defined.
Please rate the helpful posts.
Regards,
Naidu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide