ACL configuration

5 pts.
Tags:
Access Control List
ACL
ACL Manager
Cisco 2960
Cisco 7206
Network security
hey, I want to create standard acl to allow all network to flow from 172.16.10.0 0.0.0.255 to 172.16.20.0 0.0.0.255 and 172.16.30.0 0.0.0.255 but i don’t want network to flow from 172.16.20.0 0.0.0.255 to 172.16.30.0 0.0.0.255 and vice versa, so I created the following acl, access-list standard 10 permit 172.16.10.0 0.0.0.255 access-list standard 10 deny any. and also i created sub interfaces on the router for interface fa 0/0 sub interface fa 0/0.1 for 172.16.10.0 0.0.0.255 sub interface fa 0/0.2 for 172.16.20.0 0.0.0.255 sub interface fa 0/0.3 for 172.16.30.0 0.0.0.255 and I have applied the above access list on the sub interface fa 0/0.2 and fa 0/0.3, but its not working. Please help



Software/Hardware used:
router 7206, switches 2960

Answer Wiki

Thanks. We'll let you know when a new response is added.

Your answer is in your question: The ACL you created only shows the “allow” for the 172.16.10.0 network

Given that its not working you either 1) applied that ACL on the IN-bound traffic, which is going to kill anything not coming from that network or 2) any OUT-bound traffic not originating in the 172.16.10.0 network is going to be dropped.

A better solution:
– ACL for Inbound traffic – 172.16.20.0 (aka VLAN 20)
<b>access-list 101 deny ip any 172.16.30.0 0.0.0.255 </b>
(deny anything headed to 172.16.30.0 / 24)
<b>access-list 101 permit ip any any</b>
(allow all other traffic through)
– Apply ACL Inbound on fa0/0.2

– ACL for Inbound traffic – 172.16.30.0 (aka VLAN 30)
<b>access-list 102 deny ip any 172.16.20.0 0.0.0.255</b>
(deny anything headed to 172.16.20.0 / 24)
<b>iaccess-list 102 permit ip any any</b>
(Allow everything else through)
– Apply ACL Inbound on fa0/0.3

Pings from 172.16.10.0 to either subnet will be good, pings to each other will fail, PLUS each of them can still reach the other resources (servers, Internet, etc)

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • KFaganJr
    run the command below, do you see the access list you created? show access-lists
    1,355 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following