04-13-2011 12:54 AM - edited 03-06-2019 04:35 PM
I have a branch office router that acts as a router on a stick. There are many vlans terminating on it.
I want to restrict access from vlan 1100 to vlan 1200. I adopted the ACL solution, under router subinterfaces.
For example, I don't want subnet A:10.101.14.128/27 to communicate with subnet B: 10.101.14.190/28.
Here's the config:
Extended IP access list ACL_VLAN1100
10 permit ip 10.101.14.128 0.0.0.127 172.16.0.0 0.0.255.255
20 permit ip 10.101.14.128 0.0.0.127 172.18.0.0 0.0.255.255
!
interface GigabitEthernet0/0.1100
description ********** GW VLAN Users **********
encapsulation dot1Q 1100
ip address 10.101.14.158 255.255.255.224
ip access-group ACL_VLAN1100 in
ip helper-address 172.16.5.28
ip helper-address 172.16.5.29
no ip redirects
no ip proxy-arp
Yet, hosts in subnet A still ping hosts on subnet B
Thanks for your help.
Solved! Go to Solution.
04-13-2011 03:46 AM
Hi,
You received a reply not an echo-reply but an administratively prohibited reply from router so if you put on the interface the no ip unreachables command you should have 100 % packet loss.
Regards.
Alain.
04-13-2011 01:30 AM
Hi,
Can you do a debug ip packet
Regards.
Alain.
04-13-2011 03:30 AM
I labbed the scenario and found that it was a silly mistake the wildcard mask is larger than the subnet mask. So traffic of encompassed subnets is allowed by the ACL. It's funny how we take things as granted during troubleshooting
I corrected the wildcard mask. I have another situation now. It's true that hosts on subnets A can not ping hosts on subnet B. Yet Windows "ping" displays 0% packet loss. Is it a display error? or is it because packets reached the router then were consumed by it?
04-13-2011 03:46 AM
Hi,
You received a reply not an echo-reply but an administratively prohibited reply from router so if you put on the interface the no ip unreachables command you should have 100 % packet loss.
Regards.
Alain.
04-13-2011 02:05 AM
Where is you "cleanup rule" or in this case your deny any any at the end of the ACL? If you don't have one you will need to put one in.
Noel
04-13-2011 02:31 AM
Hi Noel,
There is always an implicit deny at the end of an ACL.
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide