Access-list problem 2600 router

dkblee · ‎07-08-2004

hi! anyone can help to check whether the access-list shown below are able to meet the following requirements. Thks!

1) .9 subnet are able to access only 10.71.12.65 and 10.71.12.68 subnet except host .9.93 and .9.88 whereby there can access .10 and .11 subnet

2) .10 vlan can only access 10.71.12.66 and 10.71.12.68. It's restricted from accessing .9, .11 and all other subnets.

3) .11 vlan can only access 10.71.12.67 and 10.71.12.68. It's restricted from accessing .9, .10 and all other subnets.

fa0/0 - .9 vlan outbound

=========================

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.65

access-list 111 permit ip 10.71.9.0 0.0.0.255 host 10.71.12.68

access-list 111 permit ip host 10.71.9.93 10.71.10.0 0.0.0.255

access-list 111 permit ip host 10.71.9.93 10.71.11.0 0.0.0.255

access-list 111 permit ip host 10.71.9.88 10.71.10.0 0.0.0.255

access-list 111 permit ip host 10.71.9.88 10.71.11.0 0.0.0.255

access-list 111 deny ip any any

fa0/0.3 - .10 vlan outbound

===========================

access-list 112 permit ip 10.71.10.0 0.0.0.255 host 10.71.12.66

access-list 112 permit ip 10.71.10.0. 0.0.0.255 host 10.71.12.68

access-list 112 deny ip any any

fa0/0.4 - .11 vlan outbound

===========================

access-list 112 permit ip 10.71.11.0 0.0.0.255 host 10.71.12.67

access-list 112 permit ip 10.71.11.0. 0.0.0.255 host 10.71.12.68

access-list 112 deny ip any any

thisisshanky · ‎07-08-2004

Taking situation 2, (same with other two situations)

If 10.71.10.0 subnet is assigned to fa0/0.3 The access-list 112 should be applied inbound and not outbound.

If 10.71.12.0 subnet is assigned to fa0/0.3 The access-list 112 has been applied in the correct direction - outbound.

Also in situation 3, your access-list number is mistakenely typed as 112. (shouldnt it be 113?).

Conclusion. If subnets .9, .10 and .11 subnets are assigned to the specified fast ethernet interfaces, you must apply the ACLs in the INBOUND direction.

Hope that helps!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

dkblee · ‎07-08-2004

hi! Thks for the help.

I don't quite understand your second statement.

How should i correct that? Let say i want the 10.71.12.68 and 10.71.12.68 host to access .10 vlan i have to include the access-list below to the outbound interface of intfa0/0.3?

int fa0/0.3 - .10 Vlan Outbound

=======================

access-list 115 permit ip 10.71.12.66 0.0.0.255

access-list 115 permit ip 10.71.12.68 0.0.0.255

thisisshanky · ‎07-09-2004

No,

I was asking you if fa0/0.3 subinterface was falling in the .10 subnet or .12 subnet ? Hope that is clear now.

Your scenario makes me think that everything will work perfect if you apply the ACLs configured in the inbound direction on each sub interface.

How to apply an ACL in inbound direction ??

int fa0/0.3

ip access-group in

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

dkblee · ‎07-10-2004

hi!

fa0/0.3 subinterface is under .10 subnet.

fa0/0 subinterface is under .9 subnet.

fa0/0.4 subinterface is under .11 subnet.

If based on my first msg's config will that fulfill my requirements after changing from outbound to inbound and applying it using the ip access-group command?

I;m not sure whether the above config is it correct or not. Just to make sure that before i apply it on the live system. Correct me if i'm wrong thks!

thisisshanky · ‎07-10-2004

The requirements specified would definitely be satisfied, if you apply the ACLs inbound. But note that you have denied all implicit traffic not matched by the ACL. Make sure that you have not missed any other traffic that needs to traverse from one vlan to another, or to the Internet.

Also recommend applying this ACL only during off peak hours, or after scheduling a maintenance window.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

dkblee · ‎07-10-2004

will try that out. Thks!

dkblee · ‎07-11-2004

hi!

I'm confused about the different between inbound and outbound. From my config on access-list, can you explain why it is not outbound and it's inbound instead?

From book, it's always outbound if the packet is going out from the interface and if the external packet is entering into another router's interface/subinterface it's always inbound. So, i'm confused here. Can explain on this? Thks!

thisisshanky · ‎07-11-2004

When I say inbound or outbound, I mean the direction in which the ACL is applied. An ACL applied outbound on an interface of the router will match those packets routed out from the router through that interface. An ACL applied inbound on an interface will match all packets coming in on that interface.

Hope that helps~!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

dkblee · ‎07-12-2004

hi!

I've tried the config above. When i applied only access-list 111 on interface fa0/0 and nothing is applied on other subinterfaces. It work fine for that access-list. I'm able to access .10 and .11 subnet, but when i tried to apply access list 112 on fa0/0.3 I'm not able to ping .10 subnet from host 10.71.9.93 & 10.71.9.88.

Any idea what's wrong with that?

Thks!