Vlan ACL question

johnwest43

I have a router on a stick setup w/ the router providing dhcp to 2 networks 10.10.10.0 and 192.168.0.0. The switch ip address is 10.10.10.2 and the routers interface ip's are 10.10.10.1(fa0/0.1) and 192.168.0.1(fa0/0.2).

when I configure an acl (access-list 10 deny 192.168.0.0 0.0.255.255) and apply it to fa0/0.1 (ip access-group 10 in)
and ping 10.10.10.1 and 10.10.10.2 from a pc w/ ip address 192.168.0.3 i get a response. Is this normal?

When I configure an acl (access-list deny 10.10.10.0 0.255.255.255) and apply it to fa0/0.2 i can ping 10.10.10.1 and get a response but if i ping the switch (10.10.10.2) it times out.

How can i prohibit traffic from fa0/0.2 from entering fa0/0.1 ?

Thanks for the help

John

john-cisco

Both of those interfaces on the router will put the two ranges in your routing table.
Traffic is not really entering from fa0/0.1.
Your router know how to get to both ranges, that why this is working.

not sure how to fix it though

Bl8ckr0uter

johnwest43 wrote: »

I have a router on a stick setup w/ the router providing dhcp to 2 networks 10.10.10.0 and 192.168.0.0. The switch ip address is 10.10.10.2 and the routers interface ip's are 10.10.10.1(fa0/0.1) and 192.168.0.1(fa0/0.2).

when I configure an acl (access-list 10 deny 192.168.0.0 0.0.255.255) and apply it to fa0/0.1 (ip access-group 10 in)
and ping 10.10.10.1 and 10.10.10.2 from a pc w/ ip address 192.168.0.3 i get a response. Is this normal?

When I configure an acl (access-list deny 10.10.10.0 0.255.255.255) and apply it to fa0/0.2 i can ping 10.10.10.1 and get a response but if i ping the switch (10.10.10.2) it times out.

How can i prohibit traffic from fa0/0.2 from entering fa0/0.1 ?

Thanks for the help

John

Why not use an extended access list and just deny echo ?

mikej412

johnwest43 wrote: »

Is this normal?

If you have an ACL with just a single deny statement, then the implicit deny at the end would deny all traffic.....

Is that your complete ACL?

Are you using a simulator or real hardware?

The ACL IN/OUT is from the router's point of view.

A packet from 192.168.0.0 network goes IN the router's FA0/0.2 interface and OUT the router's FA0/0.1 interface to reach the 10.10.10.0 network.

So -- no, not normal. If all you have is that single ACL line, even applied in the wrong direction, the reply traffic should be blocked.

johnwest43 wrote: »

When I configure an acl (access-list deny 10.10.10.0 0.255.255.255) and apply it to fa0/0.2 i can ping 10.10.10.1 and get a response but if i ping the switch (10.10.10.2) it times out.

Applied IN or OUT? Pinging from where?

Just that single ACL line? Or is there more?

But if you can ping the 10.10.10.1 router interface but not the 10.10.10.2 switch -- then I'd guess you can't ping the switch because the switch doesn't have a default gateway configured and you're pinging from somewhere on the 192.168.0.0 network.....

knwminus wrote: »

Why not use an extended access list and just deny echo ?

Probably because they need to learn how a standard access works -- and the proper placement and "direction" -- before they move onto the extended access list.

johnwest43

sorry mikej412 iwas quite tired when i wrote this post. I also have a acl to permit any to defeat the implied deny all. I think you solved my problem i was applying the acl to int fa0/.01 in not fa0/.02 in. I will try this today and let you know.

Thank you for the insight.

John

mikej412

johnwest43 wrote: »

I think you solved my problem i was applying the acl to int fa0/.01 in not fa0/.02 in.

If you apply the ACL to close to the source, you actually deny ALL traffic from the 192.168.0.0 network -- not just the traffic destined for the 10.10.10.0

If FA0/0.1 is the 10.10.10.0 network, the traffic that came IN from the 192.168.0.0 network (via the FA0/0.2 interface) is going to go OUT the FA0/0.1 interface to reach the 10.10.10.0 network.

You are the router. Hold your arms up. Your right arm is the 192.168.0.0 network. Your left arm is the 10.10.10.0 network. If your right hand thumb pings your left hand thumb, the packets travel up your right arm, IN to your right shoulder (FA0/0.2), your brain checks the packet and sees it headed for your left arm (which is directly connected to your body) and switches the packet from your right shoulder to your left shoulder (FA0/0.1). From there, the packet goes OUT your left shoulder and down your arm to the left thumb.

If you apply the ACL IN on your right shoulder, you'd also never be able to ping your big toe -- on either foot -- or anything else. It would block too much traffic.

If you apply the ACL IN on your left shoulder (FA0/0.1), your brain never sees a packet come IN the left shoulder from your left hand sourced from your right thumb. -- since packets from your right thumb always come into your body (router) from the right arm through the right shoulder (FA0/0.2). You'd have to surgically remove your thumb from your right hand and move it to your left hand for your ACL to work -- but then your right index finder would still be able to send packets....

Now, if you applied your ACL OUT on your left shoulder, would that achieve your objective? Would that stop packets from any finger on your right hand from reaching any finger on your left hand? Would your right thumb still be able to communicate with your big toes?

So think like the router. Be the router.

What's your answer now?

johnwest43

Ok I gave it a try and i am still able to ping fa0/0.1 (10.10.10.1) from vlan 2 (192.168.0.0)

Below is the running config of the router and some simple output from a pc in vlan 2

Go Figure, there must be something small that I am missing

Thanks again for the help, the body analogy is a great way of thinking like a router!!


Here is my current running config on the router:
Current configuration : 1269 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.2
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool vlan1
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
domain-name test.com
!
ip dhcp pool vlan2
network 192.168.0.0 255.255.255.0
domain-name test2.com
default-router 192.168.0.1
!
no ip domain lookup
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.10.10.1 255.255.255.0
ip access-group 10 out
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.0.1 255.255.255.0
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
access-list 10 deny 192.168.0.0 0.0.255.255
access-list 10 permit any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Router#sh access-list
Standard IP access list 10
10 deny 192.168.0.0, wildcard bits 0.0.255.255 (16 matches)
20 permit any

Here is the output from the command prompt of a pc located in vlan2
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : test2.com
Link-local IPv6 Address . . . . . : xxxxxxxxxxx
IPv4 Address. . . . . . . . . . . : 192.168.0.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 0.0.0.0
192.168.0.1
C:\Users\john>ping 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=3ms TTL=255
Reply from 192.168.0.1: bytes=32 time=1ms TTL=255
Reply from 192.168.0.1: bytes=32 time=1ms TTL=255
Reply from 192.168.0.1: bytes=32 time=1ms TTL=255
Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 1ms
C:\Users\john>ping 10.10.10.1
Pinging 10.10.10.1 with 32 bytes of data:
Reply from 10.10.10.1: bytes=32 time=3ms TTL=255
Reply from 10.10.10.1: bytes=32 time=1ms TTL=255
Reply from 10.10.10.1: bytes=32 time=1ms TTL=255
Reply from 10.10.10.1: bytes=32 time=1ms TTL=255
Ping statistics for 10.10.10.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 1ms
C:\Users\john>ping 10.10.10.2
Pinging 10.10.10.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.10.10.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

mikem2te

The ACL applied on interface FastEthernet0/0.1 only applies to traffic going out through that interface (down the arm using the body & arm analogy), as the 10.10.10.1 address is the router itself (the body) this ACL does not apply so pings to 10.10.10.1 will be successful, but to any other address on the 10.10.10.0 network should fail.

To block traffic to the entire 10.10.10.0 range would require an extended ACL closer to the source of the traffic (FastEthernet0/0.2 in), something like-
access-list 100 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip any any

Or something like that anyway

N3tWrkNut

This has to be the best posting ever! I love the analogy! Very helpful to those of us who are working on this stuff.

johnwest43

The extended access list did the trick!! I removed access list 10 and created the extended access list 100 as show above. Works like a dream. Thanks again for all the help!!