I have the topology below:
On the network 10.11.9.0/24
(Area 3), I want to allow only traffic to the Internet.
How would I go about this as I was thinking denying traffic to all my network and allow it for everything else.
Here are the commands I entered in R2, but they do not seem to work:
access-list 100 deny ip any 10.111.0.0 0.0.240.255
access-list 100 permit ip any any
!
interface GigabitEthernet0/0
ip access-group 100 out
!
These commands don't seem to work, but could it because of another reason like OSPF?
Should I be allowing everything to the ISP and denying everything else? How would I go about this?
Best Answer
As applied, your ACL is denying any IP traffic destined to
10.111.0.0 0.0.240.255
into Area 3. From what you described, I thought you wanted to deny traffic leaving Area 3, not entering it. Thein
andout
keywords on theip access-group
command are from the perspective of the router, not the network or area, so theout
that you use means anything outbound on the Area 3 interface (into Area 3).You are probably trying to overthink the wildcard mask, which seems to be incorrect based on your question. It will not deny traffic to hosts in any other area. You probably just want something like
0.0.255.255
, meaning you will deny traffic to any host in the10.111.0.0/16
address range. It doesn't affect hosts in Area 3 from sending traffic to any host in Area 3. You can't do that from the router because the hosts in Area 3 are connected to a switch, and the traffic will pass directly from host to host, not through the router.You probably want something like this: