ACL Inter VLAN woes

I am trying to block ICMP to a PC.
I am unable to apply the ACL on an InterVLAN Interface(incoming).
All other Interfaces work OK.

Does not WorkInterVLAN Interface)

interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip access-group icmp-block in
duplex auto
speed auto

ip access-list extended icmp-block
deny icmp any host 192.168.2.4
permit ip any any

Works :

interface GigabitEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip access-group icmp-block out
duplex auto
speed auto

ip access-list extended icmp-block
deny icmp any host 192.168.2.4
permit ip any any

ACL-InterVLAN.jpg

ACL-InterVLAN2.jpg

Find more posts tagged with

Comments

satishtech

I think I figured it out.Makes me wonder how much there is to learn and how
complicated the ccent exam can get.I wish there was a listing of all ccent
complicated lab scenarios.

blatini

What was the resolution to this?

satishtech

Apply ACL to all subinterfaces created under int g0/1.
Now the ACL does its job of filterring ICMP traffic.
Hope I am right.(Correct me if I am wrong)

config:

interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.5.1 255.255.255.0
ip access-group icmp-block in
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
ip access-group icmp-block in
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 20
ip address 192.168.4.1 255.255.255.0
ip access-group icmp-block in

networker050184

You don't need it on all of the interfaces. I think you are failing to understand what portion of the packet the ACL will be matching on.

satishtech

so how do I rectify this ?
Kindly clarify networker .

networker050184

You need to understand how it works before you can fix it. When a packet traverses those interfaces inbound and outbound what are the source and destination addresses going to be? That is how you know what type and where to place your ACL.

AwesomeGarrett

networker, forcing newbies to think since 2007.

satishtech

I used this : on int g0/1

ip access-list extended icmp-block
deny icmp 192.168.0.0 0.0.255.255 host 192.168.2.4
permit ip any any

Nope : Ping still works !!

So I do not need to place the ACL on all subinterfaces of a VLAN ?
only the int g0/1 will do ?

I even tried this :ping still works
ip access-list extended icmp-block
deny icmp 192.168.4.0 0.0.0.255 host 192.168.2.4
deny icmp 192.168.5.0 0.0.0.255 host 192.168.2.4
deny icmp 192.168.1.0 0.0.0.255 host 192.168.2.4
deny icmp 192.168.10.0 0.0.0.255 host 192.168.2.4
permit ip any any
!

thinking....

satishtech

Will this Work ?

Router(config-if)#int range g0/1.1 - g0/1.3
Router(config-if-range)#ip access-group icmp-block in

satishtech

I can also apply the ACL outgoing on g0/0 interface ? This will be only once. Kindly clarify.