ACL Inter VLAN woes

satishtechsatishtech Member Posts: 243
in CCNA & CCENT
I am trying to block ICMP to a PC.
I am unable to apply the ACL on an InterVLAN Interface(incoming).
All other Interfaces work OK.

Does not Workicon_sad.gifInterVLAN Interface)

interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip access-group icmp-block in
duplex auto
speed auto

ip access-list extended icmp-block
deny icmp any host 192.168.2.4
permit ip any any

Works :

interface GigabitEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip access-group icmp-block out
duplex auto
speed auto

ip access-list extended icmp-block
deny icmp any host 192.168.2.4
permit ip any any

· Share on FacebookShare on Twitter

Comments

  • satishtechsatishtech Member Posts: 243
    I think I figured it out.Makes me wonder how much there is to learn and how
    complicated the ccent exam can get.I wish there was a listing of all ccent
    complicated lab scenarios.
    · Share on FacebookShare on Twitter
  • blatiniblatini Member Posts: 285
    What was the resolution to this?
    · Share on FacebookShare on Twitter
  • satishtechsatishtech Member Posts: 243
    Apply ACL to all subinterfaces created under int g0/1.
    Now the ACL does its job of filterring ICMP traffic.
    Hope I am right.(Correct me if I am wrong)

    config:

    interface GigabitEthernet0/1.1
    encapsulation dot1Q 1 native
    ip address 192.168.5.1 255.255.255.0
    ip access-group icmp-block in
    !
    interface GigabitEthernet0/1.2
    encapsulation dot1Q 10
    ip address 192.168.1.1 255.255.255.0
    ip access-group icmp-block in
    !
    interface GigabitEthernet0/1.3
    encapsulation dot1Q 20
    ip address 192.168.4.1 255.255.255.0
    ip access-group icmp-block in
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Mod Posts: 11,962 Mod
    You don't need it on all of the interfaces. I think you are failing to understand what portion of the packet the ACL will be matching on.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • satishtechsatishtech Member Posts: 243
    so how do I rectify this ?
    Kindly clarify networker .
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Mod Posts: 11,962 Mod
    You need to understand how it works before you can fix it. When a packet traverses those interfaces inbound and outbound what are the source and destination addresses going to be? That is how you know what type and where to place your ACL.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • AwesomeGarrettAwesomeGarrett Member Posts: 257
    networker, forcing newbies to think since 2007. bowing.gif
    · Share on FacebookShare on Twitter
  • satishtechsatishtech Member Posts: 243
    I used this : on int g0/1

    ip access-list extended icmp-block
    deny icmp 192.168.0.0 0.0.255.255 host 192.168.2.4
    permit ip any any

    Nope : Ping still works !!

    So I do not need to place the ACL on all subinterfaces of a VLAN ?
    only the int g0/1 will do ?

    I even tried this :ping still works
    ip access-list extended icmp-block
    deny icmp 192.168.4.0 0.0.0.255 host 192.168.2.4
    deny icmp 192.168.5.0 0.0.0.255 host 192.168.2.4
    deny icmp 192.168.1.0 0.0.0.255 host 192.168.2.4
    deny icmp 192.168.10.0 0.0.0.255 host 192.168.2.4
    permit ip any any
    !

    thinking....icon_rolleyes.gificon_study.gificon_silent.gif
    · Share on FacebookShare on Twitter
  • satishtechsatishtech Member Posts: 243
    Will this Work ?

    Router(config-if)#int range g0/1.1 - g0/1.3
    Router(config-if-range)#ip access-group icmp-block in
    · Share on FacebookShare on Twitter
  • satishtechsatishtech Member Posts: 243
    I can also apply the ACL outgoing on g0/0 interface ? This will be only once. Kindly clarify.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.