Options
ACL Inter VLAN woes
satishtech
Member Posts: 243
in CCNA & CCENT
I am trying to block ICMP to a PC.
I am unable to apply the ACL on an InterVLAN Interface(incoming).
All other Interfaces work OK.
Does not Work
InterVLAN Interface)
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip access-group icmp-block in
duplex auto
speed auto
ip access-list extended icmp-block
deny icmp any host 192.168.2.4
permit ip any any
Works :
interface GigabitEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip access-group icmp-block out
duplex auto
speed auto
ip access-list extended icmp-block
deny icmp any host 192.168.2.4
permit ip any any
I am unable to apply the ACL on an InterVLAN Interface(incoming).
All other Interfaces work OK.
Does not Work
InterVLAN Interface)interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip access-group icmp-block in
duplex auto
speed auto
ip access-list extended icmp-block
deny icmp any host 192.168.2.4
permit ip any any
Works :
interface GigabitEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip access-group icmp-block out
duplex auto
speed auto
ip access-list extended icmp-block
deny icmp any host 192.168.2.4
permit ip any any
Comments
-
Optionssatishtech
Member Posts: 243
I think I figured it out.Makes me wonder how much there is to learn and how
complicated the ccent exam can get.I wish there was a listing of all ccent
complicated lab scenarios. -
Optionssatishtech
Member Posts: 243
Apply ACL to all subinterfaces created under int g0/1.
Now the ACL does its job of filterring ICMP traffic.
Hope I am right.(Correct me if I am wrong)
config:
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.5.1 255.255.255.0
ip access-group icmp-block in
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
ip access-group icmp-block in
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 20
ip address 192.168.4.1 255.255.255.0
ip access-group icmp-block in -
Options
networker050184
Mod Posts: 11,962 Mod
You don't need it on all of the interfaces. I think you are failing to understand what portion of the packet the ACL will be matching on.An expert is a man who has made all the mistakes which can be made. -
Optionsnetworker050184
Mod Posts: 11,962 Mod
You need to understand how it works before you can fix it. When a packet traverses those interfaces inbound and outbound what are the source and destination addresses going to be? That is how you know what type and where to place your ACL.An expert is a man who has made all the mistakes which can be made.
-
Optionssatishtech
Member Posts: 243
I used this : on int g0/1
ip access-list extended icmp-block
deny icmp 192.168.0.0 0.0.255.255 host 192.168.2.4
permit ip any any
Nope : Ping still works !!
So I do not need to place the ACL on all subinterfaces of a VLAN ?
only the int g0/1 will do ?
I even tried this :ping still works
ip access-list extended icmp-block
deny icmp 192.168.4.0 0.0.0.255 host 192.168.2.4
deny icmp 192.168.5.0 0.0.0.255 host 192.168.2.4
deny icmp 192.168.1.0 0.0.0.255 host 192.168.2.4
deny icmp 192.168.10.0 0.0.0.255 host 192.168.2.4
permit ip any any
!
thinking....
-
Optionssatishtech
Member Posts: 243
Will this Work ?
Router(config-if)#int range g0/1.1 - g0/1.3
Router(config-if-range)#ip access-group icmp-block in -
Optionssatishtech
Member Posts: 243
I can also apply the ACL outgoing on g0/0 interface ? This will be only once. Kindly clarify.
