Register

Forgot Password

Site FAQ

Home > IT Answers > Security > ACL configuration

Bryan15

5 pts.

ACL configuration

Access Control List, ACL, ACL Manager, Cisco 2960, Cisco 7206, Network security

hey, I want to create standard acl to allow all network to flow from 172.16.10.0 0.0.0.255 to 172.16.20.0 0.0.0.255 and 172.16.30.0 0.0.0.255 but i don’t want network to flow from 172.16.20.0 0.0.0.255 to 172.16.30.0 0.0.0.255 and vice versa, so I created the following acl, access-list standard 10 permit 172.16.10.0 0.0.0.255 access-list standard 10 deny any. and also i created sub interfaces on the router for interface fa 0/0 sub interface fa 0/0.1 for 172.16.10.0 0.0.0.255 sub interface fa 0/0.2 for 172.16.20.0 0.0.0.255 sub interface fa 0/0.3 for 172.16.30.0 0.0.0.255 and I have applied the above access list on the sub interface fa 0/0.2 and fa 0/0.3, but its not working. Please help

Software/Hardware used:
router 7206, switches 2960

ASKED: July 16, 2011 11:15 AM

UPDATED: March 31, 2012 9:16 PM

RELATED QUESTIONS

Answer Wiki:

Your answer is in your question: The ACL you created only shows the "allow" for the 172.16.10.0 network Given that its not working you either 1) applied that ACL on the IN-bound traffic, which is going to kill anything not coming from that network or 2) any OUT-bound traffic not originating in the 172.16.10.0 network is going to be dropped. A better solution: - ACL for Inbound traffic - 172.16.20.0 (aka VLAN 20) access-list 101 deny ip any 172.16.30.0 0.0.0.255 (deny anything headed to 172.16.30.0 / 24) access-list 101 permit ip any any (allow all other traffic through) - Apply ACL Inbound on fa0/0.2 - ACL for Inbound traffic - 172.16.30.0 (aka VLAN 30) access-list 102 deny ip any 172.16.20.0 0.0.0.255 (deny anything headed to 172.16.20.0 / 24) iaccess-list 102 permit ip any any (Allow everything else through) - Apply ACL Inbound on fa0/0.3 Pings from 172.16.10.0 to either subnet will be good, pings to each other will fail, PLUS each of them can still reach the other resources (servers, Internet, etc)

Your answer is in your question: The ACL you created only shows the "allow" for the 172.16.10.0 network

Given that its not working you either 1) applied that ACL on the IN-bound traffic, which is going to kill anything not coming from that network or 2) any OUT-bound traffic not originating in the 172.16.10.0 network is going to be dropped.

A better solution:
 - ACL for Inbound traffic - 172.16.20.0 (aka VLAN 20)
access-list 101 deny ip any 172.16.30.0 0.0.0.255 
 (deny anything headed to 172.16.30.0 / 24)
access-list 101 permit ip any any 
 (allow all other traffic through)
 - Apply ACL Inbound on fa0/0.2

- ACL for Inbound traffic - 172.16.30.0 (aka VLAN 30)
access-list 102 deny ip any 172.16.20.0 0.0.0.255
 (deny anything headed to 172.16.20.0 / 24)
iaccess-list 102 permit ip any any
 (Allow everything else through)
 - Apply ACL Inbound on fa0/0.3

Pings from 172.16.10.0 to either subnet will be good, pings to each other will fail, PLUS each of them can still reach the other resources (servers, Internet, etc)

Last Wiki Answer Submitted: October 31, 2011 4:36 pm by Sixball

8,500 pts.

All Answer Wiki Contributors: Sixball

8,500 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: Jul 19, 2011 7:02 PM (GMT)

run the command below, do you see the access list you created?

show access-lists

KFaganJr

1,355 pts.

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags