Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1283
Views
0
Helpful
6
Replies

ACL's

Go to solution
nonfatyogurt19
Level 1
Level 1

‎11-23-2016 11:50 PM - edited ‎03-08-2019 08:17 AM

We've just started working with Standard ACL's in class and I'm having trouble getting it to work correctly. These are my entries:

ip access-list standard DENY1

deny 192.168.2.0 0.0.0.255

permit any

int g0/0

ip access-group DENY1 in

In packet tracer, I have 3 networks :

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

I'm trying to deny 192.168.2.0 from accessing 192.168.3.0 while still allowing 192.168.1.0 to access it. If I understand correctly, there is an implicit deny placed at the end when an ACL is made, so a permit statement must be made to allow traffic that isn't explicitly denied. When I implement this on Interface G0/0 on the router closest to the destination all traffic is being permitted.

Any help is greatly appreciated. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Iulian Vaideanu
Level 4
Level 4
In response to nonfatyogurt19

‎11-24-2016 01:36 AM

In a standard ACL, whatever IPs/subnets you put there are matched against the source of the processed packets.

So, in the config you described, you're telling the router to drop packets entering interface Gi0/0 that have 192.168.2.x as source IP address.  But there are no 192.168.2.x devices behind Gi0/0, so basically your ACL is reduced to the final "permit any", and all packets go through.

What you need is to "ip access-group DENY1 out" - packets coming from 192.168.2.x enter the router from somewhere else, and just as they are about to be sent out of interface Gi0/0 to whatever is connected to (or reachable through) that interface (that is, to 192.168.3.x), they will be dropped by the ACL;  everything else will go through.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Iulian Vaideanu
Level 4
Level 4

‎11-24-2016 01:10 AM

Which of those networks are connected to (or reachable through) interface Gi0/0?

0 Helpful

Go to solution
nonfatyogurt19
Level 1
Level 1
In response to Iulian Vaideanu

‎11-24-2016 01:15 AM

192.168.3.0 is the only network attached to that interface. 

0 Helpful

Go to solution
Iulian Vaideanu
Level 4
Level 4
In response to nonfatyogurt19

‎11-24-2016 01:36 AM

In a standard ACL, whatever IPs/subnets you put there are matched against the source of the processed packets.

So, in the config you described, you're telling the router to drop packets entering interface Gi0/0 that have 192.168.2.x as source IP address.  But there are no 192.168.2.x devices behind Gi0/0, so basically your ACL is reduced to the final "permit any", and all packets go through.

What you need is to "ip access-group DENY1 out" - packets coming from 192.168.2.x enter the router from somewhere else, and just as they are about to be sent out of interface Gi0/0 to whatever is connected to (or reachable through) that interface (that is, to 192.168.3.x), they will be dropped by the ACL;  everything else will go through.

0 Helpful

Go to solution
nonfatyogurt19
Level 1
Level 1
In response to Iulian Vaideanu

‎11-24-2016 01:45 AM

I see now. I had some trouble fully understanding inbound/outbound but your explanation makes sense. Thanks for the help!

0 Helpful

Go to solution
InayathUlla Sharieff
Cisco Employee
Cisco Employee

‎11-24-2016 01:17 AM

Can you provide me with your .PKT file please?

0 Helpful

Go to solution
nonfatyogurt19
Level 1
Level 1
In response to InayathUlla Sharieff

‎11-24-2016 01:27 AM

https://www.4shared.com/file/C9qqSycwce/ACL.html

0 Helpful
Customers Also Viewed These Support Documents
Top