Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9044
Views
0
Helpful
5
Replies

ACL on router subinterfaces

Go to solution
Wassim Aouadi
Level 4
Level 4

‎04-13-2011 12:54 AM - edited ‎03-06-2019 04:35 PM

I have a branch office router that acts as a router on a stick. There are many vlans terminating on it.

I want to restrict access from vlan 1100 to vlan 1200. I adopted the ACL solution, under router subinterfaces.

For example, I don't want subnet A:10.101.14.128/27 to communicate with subnet B: 10.101.14.190/28.

Here's the config:

Extended IP access list ACL_VLAN1100

10 permit ip 10.101.14.128 0.0.0.127 172.16.0.0 0.0.255.255

20 permit ip 10.101.14.128 0.0.0.127 172.18.0.0 0.0.255.255

!

interface GigabitEthernet0/0.1100

description ********** GW VLAN Users **********

encapsulation dot1Q 1100

ip address 10.101.14.158 255.255.255.224

ip access-group ACL_VLAN1100 in

ip helper-address 172.16.5.28

ip helper-address 172.16.5.29

no ip redirects

no ip proxy-arp

Yet, hosts in subnet A still ping hosts on subnet B

Thanks for your help.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Wassim Aouadi

‎04-13-2011 03:46 AM

Hi,

You received a reply not an echo-reply but an administratively prohibited reply from router so if you put on the interface the  no ip unreachables command you should have 100 % packet loss.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎04-13-2011 01:30 AM

Hi,

Can you do a debug ip packet where acl is permitting icmp traffic while pinging from host in A to host in B

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Wassim Aouadi
Level 4
Level 4
In response to cadet alain

‎04-13-2011 03:30 AM

I labbed the scenario and found that it was a silly mistake the wildcard mask is larger than the subnet mask. So traffic of encompassed subnets is allowed by the ACL. It's funny how we take things as granted during troubleshooting

I corrected the wildcard mask. I have another situation now. It's true that hosts on subnets A can not ping hosts on subnet B. Yet Windows "ping" displays 0% packet loss. Is it a display error? or is it because packets reached the router then were consumed by it?

Preview file
39 KB
0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Wassim Aouadi

‎04-13-2011 03:46 AM

Hi,

You received a reply not an echo-reply but an administratively prohibited reply from router so if you put on the interface the  no ip unreachables command you should have 100 % packet loss.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
N W
Level 1
Level 1

‎04-13-2011 02:05 AM

Where is you "cleanup rule" or in this case your deny any any at the end of the ACL? If you don't have one you will need to put one in.

Noel

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to N W

‎04-13-2011 02:31 AM

Hi Noel,

There is always an implicit deny at the end of an ACL.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card