Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5282
Views
0
Helpful
6
Replies

Access list on 1 interface with multiple addresses

Go to solution
smithcolm
Level 1
Level 1

‎04-02-2013 04:59 AM - edited ‎03-07-2019 12:35 PM

hi,

I want to be able to put an access list on an interface that has multiple addresses / subnets,

i want the access list to restrict traffic from each network.

its on 1 interface because i have limited resources and i need to build a lab environment for testing and the lab environment should have no access to main network and vice versa,. but still have internet access

so say for example,

the primary address is 192.168.1.1

ip address 192.168.99.1 255.255.255.0 secondary is added to make it a secondary address.

if i add an access list 

access-list 100 permit ip host 192.168.1.52 192.168.99.0 0.0.0.255          //this is my comptuer

access-list 100 deny   ip 192.168.2.0 0.0.0.255 192.168.99.0 0.0.0.255

i add "ip access group 100 in" to int g0/1  which is the interface in question.

this doesnt do what i want but does have a knock on effect of blocking other networks.

has anyone done anything similar or have any ideas?

Cheers

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to smithcolm

‎04-02-2013 07:25 AM

You could do this if you want to block between the two networks?

All depends on which networks you want to block.

In this example below im permitting your PC to these networks but blocking these networks from talking to each other - then lastly you are permitting any other traffic.

ip access-list extended BLOCK_INTERTRAFFIC

5 permit ip host 192.168.1.52 192.168.99.0 0.0.0.255

6 permit ip host 192.168.1.52 192.168.1.0 0.0.0.255

10 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255

20 deny ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255

30 permit ip any any

!

interface gi0/1

ip access group BLOCK_INTERTRAFFIC in

I hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Neeraj Arora
Level 3
Level 3

‎04-02-2013 05:53 AM

You need to create an ACL something like this:

access-list 100 permit ip  192.168.99.0 0.0.0.255 host 192.168.1.52

access-list 100 deny   ip  192.168.99.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 100 permit ip  any any

int g0/1

ip access group 100 in

The  above ACL will allow your PC to receive the return traffic from the lab  subnet and 2nd line will block lab subnet to communicate with any other  192.168.X.X internal subnets & 3rd line will allow Internet traffic for all subnets connected to this Interface

Hope it helps

Neeraj

0 Helpful

Go to solution
smithcolm
Level 1
Level 1
In response to Neeraj Arora

‎04-02-2013 07:04 AM

yeah, this just takes the router offline all together - took down the network.

I had run down to router with a laptop and console cable to take out changes.

my guess is that because

192.168.1.1

and

192.168.99.1

are actually the same interface this is what is causing the network to go down.

we also have a subnet of 192.168.2.1 on this interface, but no access lists are setup currently for these.

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to smithcolm

‎04-02-2013 07:25 AM

You could do this if you want to block between the two networks?

All depends on which networks you want to block.

In this example below im permitting your PC to these networks but blocking these networks from talking to each other - then lastly you are permitting any other traffic.

ip access-list extended BLOCK_INTERTRAFFIC

5 permit ip host 192.168.1.52 192.168.99.0 0.0.0.255

6 permit ip host 192.168.1.52 192.168.1.0 0.0.0.255

10 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255

20 deny ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255

30 permit ip any any

!

interface gi0/1

ip access group BLOCK_INTERTRAFFIC in

I hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
smithcolm
Level 1
Level 1
In response to Bilal Nawaz

‎04-02-2013 08:57 AM

cheers,

i think it was the implicit rules that were catching me out.

so i needed to add the rule to allow the subnet access itself!  (i think)

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to smithcolm

‎04-02-2013 09:08 AM

Hello,

You wanted to allow your PC to those networks (the first two in my example) which are permit,
but you wanted to deny the two networks from getting to each other (the next two in the example)

To prevent from breaking any other traffic the permit any was at the end.

I hope this explains better?

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
smithcolm
Level 1
Level 1
In response to Bilal Nawaz

‎04-02-2013 09:14 AM

yes i see that.

I'm also integrating with current access lists.

to be honest i probably should have been doing this with a console cable but the router is the other end of building!! :-)

and packet tracer doesnt support  ip address ...... secondary.

its working for me now though. I can ping the 99 network from my computer and the 1 network too.

thanks for the help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card