07-08-2004 10:17 AM - edited 03-02-2019 04:56 PM
hi! anyone can help to check whether the access-list shown below are able to meet the following requirements. Thks!
1) .9 subnet are able to access only 10.71.12.65 and 10.71.12.68 subnet except host .9.93 and .9.88 whereby there can access .10 and .11 subnet
2) .10 vlan can only access 10.71.12.66 and 10.71.12.68. It's restricted from accessing .9, .11 and all other subnets.
3) .11 vlan can only access 10.71.12.67 and 10.71.12.68. It's restricted from accessing .9, .10 and all other subnets.
fa0/0 - .9 vlan outbound
=========================
access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.65
access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.68
access-list 111 permit ip host 10.71.9.93 10.71.10.0 0.0.0.255
access-list 111 permit ip host 10.71.9.93 10.71.11.0 0.0.0.255
access-list 111 permit ip host 10.71.9.88 10.71.10.0 0.0.0.255
access-list 111 permit ip host 10.71.9.88 10.71.11.0 0.0.0.255
access-list 111 deny ip any any
fa0/0.3 - .10 vlan outbound
===========================
access-list 112 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.66
access-list 112 permit ip 10.71.10.0. 0.0.0.255 host 10.71.12.68
access-list 112 deny ip any any
fa0/0.4 - .11 vlan outbound
===========================
access-list 112 permit ip 10.71.11.0 0.0.0.255 host 10.71.12.67
access-list 112 permit ip 10.71.11.0. 0.0.0.255 host 10.71.12.68
access-list 112 deny ip any any
07-08-2004 10:32 AM
Taking situation 2, (same with other two situations)
If 10.71.10.0 subnet is assigned to fa0/0.3 The access-list 112 should be applied inbound and not outbound.
If 10.71.12.0 subnet is assigned to fa0/0.3 The access-list 112 has been applied in the correct direction - outbound.
Also in situation 3, your access-list number is mistakenely typed as 112. (shouldnt it be 113?).
Conclusion. If subnets .9, .10 and .11 subnets are assigned to the specified fast ethernet interfaces, you must apply the ACLs in the INBOUND direction.
Hope that helps!
07-08-2004 07:14 PM
hi! Thks for the help.
I don't quite understand your second statement.
How should i correct that? Let say i want the 10.71.12.68 and 10.71.12.68 host to access .10 vlan i have to include the access-list below to the outbound interface of intfa0/0.3?
int fa0/0.3 - .10 Vlan Outbound
=======================
access-list 115 permit ip 10.71.12.66 0.0.0.255
access-list 115 permit ip 10.71.12.68 0.0.0.255
07-09-2004 10:41 AM
No,
I was asking you if fa0/0.3 subinterface was falling in the .10 subnet or .12 subnet ? Hope that is clear now.
Your scenario makes me think that everything will work perfect if you apply the ACLs configured in the inbound direction on each sub interface.
How to apply an ACL in inbound direction ??
int fa0/0.3
ip access-group
07-10-2004 07:39 AM
hi!
fa0/0.3 subinterface is under .10 subnet.
fa0/0 subinterface is under .9 subnet.
fa0/0.4 subinterface is under .11 subnet.
If based on my first msg's config will that fulfill my requirements after changing from outbound to inbound and applying it using the ip access-group command?
I;m not sure whether the above config is it correct or not. Just to make sure that before i apply it on the live system. Correct me if i'm wrong thks!
07-10-2004 12:05 PM
The requirements specified would definitely be satisfied, if you apply the ACLs inbound. But note that you have denied all implicit traffic not matched by the ACL. Make sure that you have not missed any other traffic that needs to traverse from one vlan to another, or to the Internet.
Also recommend applying this ACL only during off peak hours, or after scheduling a maintenance window.
07-10-2004 05:15 PM
will try that out. Thks!
07-11-2004 08:50 AM
hi!
I'm confused about the different between inbound and outbound. From my config on access-list, can you explain why it is not outbound and it's inbound instead?
From book, it's always outbound if the packet is going out from the interface and if the external packet is entering into another router's interface/subinterface it's always inbound. So, i'm confused here. Can explain on this? Thks!
07-11-2004 10:43 AM
When I say inbound or outbound, I mean the direction in which the ACL is applied. An ACL applied outbound on an interface of the router will match those packets routed out from the router through that interface. An ACL applied inbound on an interface will match all packets coming in on that interface.
Hope that helps~!
07-12-2004 12:55 AM
hi!
I've tried the config above. When i applied only access-list 111 on interface fa0/0 and nothing is applied on other subinterfaces. It work fine for that access-list. I'm able to access .10 and .11 subnet, but when i tried to apply access list 112 on fa0/0.3 I'm not able to ping .10 subnet from host 10.71.9.93 & 10.71.9.88.
Any idea what's wrong with that?
Thks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide