Options
ACL - I just don't get it
jamesleecoleman
Member Posts: 1,899 ■■■■■□□□□□
in CCNA & CCENT
I've been trying to do an ACL for weeks and I still don't understand it. I'm trying to block traffic from a server with the ip address of 192.168.1.2. Can anyone help me out?
This is my running-config
Router#show ru
Building configuration...
Current configuration : 1626 bytes
!
version 12.4
no service password-encryption
!
hostname Router
!
!
!
!
!
ip ssh version 1
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.224
ip access-group 1 in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.33 255.255.255.224
duplex auto
speed auto
!
interface Serial0/0/0
ip address 192.168.10.1 255.255.255.252
encapsulation ppp
clock rate 4000000
!
!
interface Vlan1
no ip address
shutdown
!
router eigrp 1
network 192.168.0.0 0.0.0.31
network 192.168.0.32 0.0.0.31
network 192.168.10.0
auto-summary
!
ip classless
!
!
access-list 1 deny host 192.168.1.2
access-list 1 permit any
!
!
ip dhcp pool fa0/0
network 192.168.0.0 255.255.255.224
default-router 192.168.0.1
dns-server 192.168.1.2
ip dhcp pool fa0/1
network 192.168.0.32 255.255.255.224
default-router 192.168.0.33
dns-server 192.168.1.2
!
line con 0
line vty 0 4
login
!
!
end
This is my running-config
Router#show ru
Building configuration...
Current configuration : 1626 bytes
!
version 12.4
no service password-encryption
!
hostname Router
!
!
!
!
!
ip ssh version 1
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.224
ip access-group 1 in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.33 255.255.255.224
duplex auto
speed auto
!
interface Serial0/0/0
ip address 192.168.10.1 255.255.255.252
encapsulation ppp
clock rate 4000000
!
!
interface Vlan1
no ip address
shutdown
!
router eigrp 1
network 192.168.0.0 0.0.0.31
network 192.168.0.32 0.0.0.31
network 192.168.10.0
auto-summary
!
ip classless
!
!
access-list 1 deny host 192.168.1.2
access-list 1 permit any
!
!
ip dhcp pool fa0/0
network 192.168.0.0 255.255.255.224
default-router 192.168.0.1
dns-server 192.168.1.2
ip dhcp pool fa0/1
network 192.168.0.32 255.255.255.224
default-router 192.168.0.33
dns-server 192.168.1.2
!
line con 0
line vty 0 4
login
!
!
end
Booya!!
WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
*****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
*****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
Comments
-
Options
mikej412
Member Posts: 10,086 ■■■■■■■■■■
Did you do a trace route from that server and verify that the traffic is (and will always) come in on that interface FastEthernet0/0.
What are you doing and what kind of traffic are you sending to test the acl?
What is the topology? Based on the ACL location I'd expect the traffic to be coming from another router on the network segment containing the 192.168.0.1 router interface.:mike: Cisco Certifications -- Collect the Entire Set! -
Options
jjbrog
Member Posts: 149
Where is the server located? from the looks of it, or just my guessing, you're lan is on one of the fast ethernet ports, and you're trying to block access from the server. but what you're doing is blocking 192.168.1.2 from sending anything inbound to f0/0 but the addr assigned on f0/0 is in a different subnet anyway(than the switch addr mentioned) and generally that particular (and the most commonly used def gateway, obviously) address is only connected to a switch, then to PCs and thats it. But since you only posted a running config for one router we have no idea where that server is but I'm guessing you want to prevent it from going out f0/0 if thats the case simply change "ip access-group 1 in" to "ip access-group out".Started a forum for networking students, its new and needs people!
http://netadminstudents.zxq.net/phpBB3/
HTC students encouraged to join
-
Optionstech-airman
Member Posts: 953
jamesleecoleman wrote: »I've been trying to do an ACL for weeks and I still don't understand it. I'm trying to block traffic from a server with the ip address of 192.168.1.2. Can anyone help me out?
This is my running-config
Router#show ru
Building configuration...
Current configuration : 1626 bytes
!
version 12.4
no service password-encryption
!
hostname Router
!
!
!
!
!
ip ssh version 1
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.224
ip access-group 1 in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.33 255.255.255.224
duplex auto
speed auto
!
interface Serial0/0/0
ip address 192.168.10.1 255.255.255.252
encapsulation ppp
clock rate 4000000
!
!
interface Vlan1
no ip address
shutdown
!
router eigrp 1
network 192.168.0.0 0.0.0.31
network 192.168.0.32 0.0.0.31
network 192.168.10.0
auto-summary
!
ip classless
!
!
access-list 1 deny host 192.168.1.2
access-list 1 permit any
!
!
ip dhcp pool fa0/0
network 192.168.0.0 255.255.255.224
default-router 192.168.0.1
dns-server 192.168.1.2
ip dhcp pool fa0/1
network 192.168.0.32 255.255.255.224
default-router 192.168.0.33
dns-server 192.168.1.2
!
line con 0
line vty 0 4
login
!
!
end
jamesleecoleman,
What is the overall network topology for your network? -
Options
fly351
Member Posts: 360
Based on the OP, I would assume that the 192.168.1.2 is trying to exit fa0/0. In which case, you would need to change the applied ACL from ip access-group 1 in to ip access-group 1 out.
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.224
ip access-group 1 in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.33 255.255.255.224
duplex auto
speed auto
!
interface Serial0/0/0
ip address 192.168.10.1 255.255.255.252
encapsulation ppp
clock rate 4000000
!
access-list 1 deny host 192.168.1.2
access-list 1 permit anyCCNP :study: -
Options
ilcram19-2
Banned Posts: 436
or do en extended
- if the destination is the 192.168.1.2
ip access-list ext fa0/0_in
deny ip any host 192.168.1.2
permit ip any any
interface FastEthernet0/0
ip access-group fa0/0_in in
-if the source is 192.168.1.2
ip access-list ext fa0/0_out
deny ip host 192.168.1.2 any
permit ip any any
interface FastEthernet0/0
ip access-group fa0/0_out out
hope that helps -
Optionsjamesleecoleman
Member Posts: 1,899 ■■■■■□□□□□
Thanks fly351 and everyon else for the input, it worked out for me. I get confused because I'm trying to figure out if the traffic is going to or coming from and if its going in or out. It seems really simple when everything is figured out.Booya!!
WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
*****You can fail a test a bunch of times but what matters is that if you fail to give up or not***** -
OptionsHeero
Member Posts: 486
Sure does get a lot easier once you get past that first hump of visualizing if its coming in or going outjamesleecoleman wrote: »Thanks fly351 and everyon else for the input, it worked out for me. I get confused because I'm trying to figure out if the traffic is going to or coming from and if its going in or out. It seems really simple when everything is figured out.
