ACL help
adam041590
Member Posts: 6 ■□□□□□□□□□
in CCNA & CCENT
I configured a simple lab of two computers a switch and a router. The ip addresses are 192.168.0.1 and .4 for the PCS .250 / .254 for switch and router respectively. I want to deny a PING from the .4 to the .1. If someone can explain what I am doing wrong with my access-list I'd Really appreciate it because as of right now everything is talking to each other. So I got frustrated and typed deny any any to see if it was packet tracer being stupid and thus nothing couldnt talk It said request timed out. So Heres what I have:
Building configuration...
Current configuration : 903 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
ip dhcp excluded-address 192.168.0.250 192.168.0.254
!
ip dhcp pool TimeWarner
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 192.168.0.254
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
ip access-group DENY_TRAFIC in
ip access-group 100 out
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10 native
ip address 192.168.0.254 255.255.255.0
ip access-group DENY_TRAFIC in
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
ip access-list extended DENY_TRAFIC
deny icmp host 192.168.0.4 host 192.168.0.1 echo
permit ip any any
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
Building configuration...
Current configuration : 903 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
ip dhcp excluded-address 192.168.0.250 192.168.0.254
!
ip dhcp pool TimeWarner
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 192.168.0.254
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
ip access-group DENY_TRAFIC in
ip access-group 100 out
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10 native
ip address 192.168.0.254 255.255.255.0
ip access-group DENY_TRAFIC in
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
ip access-list extended DENY_TRAFIC
deny icmp host 192.168.0.4 host 192.168.0.1 echo
permit ip any any
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
Comments
-
Vask3n Member Posts: 517So you are pinging one host from another host on the same network right? 192.168.0.0 /24.
If that is the case wouldn't the switch handle the packets and not the router? The router would handle anything sent to the default gateway but since the hosts are communicating from within the same network the default gateway is not needed and hence it is not sent to the router, hence the ACL does not kick in.
I am not sure if that is accurate, any input?Working on MS-ISA at Western Governor's University -
DCD Member Posts: 475 ■■■■□□□□□□You are correct Vask3n. adam041590 pull the router out of the topology and then ping the PC.
-
adam041590 Member Posts: 6 ■□□□□□□□□□I see what your saying so than how do I configure a ACL that would work in the network internally like if I wanted to limit traffic between two hosts in the same subnet. So the ACL I have would work if in fact the PCS were in two seperate vlans perhaps
-
NetworkVeteran Member Posts: 2,338 ■■■■■■■■□□I see what your saying so than how do I configure a ACL that would work in the network internally like if I wanted to limit traffic between two hosts in the same subnet. So the ACL I have would work if in fact the PCS were in two seperate vlans perhaps
Since we're discussing traffic that doesn't cross a router and may even be L2-only, IP ACLs are a poor solution. Assuming a network re-design is impossible, switch features that could come to the rescue include--
1. MAC ACLs
2. Protected Ports
3. PVLANs -
adam041590 Member Posts: 6 ■□□□□□□□□□Ok that makes alot more sense and I played around with my lab by putting the PC in a different VLAN and thus I was able to deny traffic going to it. Is switching ACLs on the CCNA exam though out of curiousity
-
powmia Users Awaiting Email Confirmation Posts: 322networkveteran wrote: »since we're discussing traffic that doesn't cross a router and may even be l2-only, ip acls are a poor solution. Assuming a network re-design is impossible, switch features that could come to the rescue include--
1. Mac acls
2. Protected ports
3. Pvlans
vacl