04-02-2013 04:59 AM - edited 03-07-2019 12:35 PM
hi,
I want to be able to put an access list on an interface that has multiple addresses / subnets,
i want the access list to restrict traffic from each network.
its on 1 interface because i have limited resources and i need to build a lab environment for testing and the lab environment should have no access to main network and vice versa,. but still have internet access
so say for example,
the primary address is 192.168.1.1
ip address 192.168.99.1 255.255.255.0 secondary is added to make it a secondary address.
if i add an access list
access-list 100 permit ip host 192.168.1.52 192.168.99.0 0.0.0.255 //this is my comptuer
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.99.0 0.0.0.255
i add "ip access group 100 in" to int g0/1 which is the interface in question.
this doesnt do what i want but does have a knock on effect of blocking other networks.
has anyone done anything similar or have any ideas?
Cheers
Solved! Go to Solution.
04-02-2013 07:25 AM
You could do this if you want to block between the two networks?
All depends on which networks you want to block.
In this example below im permitting your PC to these networks but blocking these networks from talking to each other - then lastly you are permitting any other traffic.
ip access-list extended BLOCK_INTERTRAFFIC
5 permit ip host 192.168.1.52 192.168.99.0 0.0.0.255
6 permit ip host 192.168.1.52 192.168.1.0 0.0.0.255
10 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255
20 deny ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255
30 permit ip any any
!
interface gi0/1
ip access group BLOCK_INTERTRAFFIC in
I hope this helps
Please rate useful posts and remember to mark any solved questions as answered. Thank you.
04-02-2013 05:53 AM
You need to create an ACL something like this:
access-list 100 permit ip 192.168.99.0 0.0.0.255 host 192.168.1.52
access-list 100 deny ip 192.168.99.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip any any
int g0/1
ip access group 100 in
The above ACL will allow your PC to receive the return traffic from the lab subnet and 2nd line will block lab subnet to communicate with any other 192.168.X.X internal subnets & 3rd line will allow Internet traffic for all subnets connected to this Interface
Hope it helps
Neeraj
04-02-2013 07:04 AM
yeah, this just takes the router offline all together - took down the network.
I had run down to router with a laptop and console cable to take out changes.
my guess is that because
192.168.1.1
and
192.168.99.1
are actually the same interface this is what is causing the network to go down.
we also have a subnet of 192.168.2.1 on this interface, but no access lists are setup currently for these.
04-02-2013 07:25 AM
You could do this if you want to block between the two networks?
All depends on which networks you want to block.
In this example below im permitting your PC to these networks but blocking these networks from talking to each other - then lastly you are permitting any other traffic.
ip access-list extended BLOCK_INTERTRAFFIC
5 permit ip host 192.168.1.52 192.168.99.0 0.0.0.255
6 permit ip host 192.168.1.52 192.168.1.0 0.0.0.255
10 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255
20 deny ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255
30 permit ip any any
!
interface gi0/1
ip access group BLOCK_INTERTRAFFIC in
I hope this helps
Please rate useful posts and remember to mark any solved questions as answered. Thank you.
04-02-2013 08:57 AM
cheers,
i think it was the implicit rules that were catching me out.
so i needed to add the rule to allow the subnet access itself! (i think)
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
04-02-2013 09:08 AM
Hello,
You wanted to allow your PC to those networks (the first two in my example) which are permit,
but you wanted to deny the two networks from getting to each other (the next two in the example)
To prevent from breaking any other traffic the permit any was at the end.
I hope this explains better?
Sent from Cisco Technical Support iPhone App
04-02-2013 09:14 AM
yes i see that.
I'm also integrating with current access lists.
to be honest i probably should have been doing this with a console cable but the router is the other end of building!! :-)
and packet tracer doesnt support ip address ...... secondary.
its working for me now though. I can ping the 99 network from my computer and the 1 network too.
thanks for the help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide