Cisco ACL – Permit and Deny to Default Gateway OSPF Routing

aclciscocisco-iosospfrouting

I have the topology below:

On the network 10.11.9.0/24 (Area 3), I want to allow only traffic to the Internet.

How would I go about this as I was thinking denying traffic to all my network and allow it for everything else.

Here are the commands I entered in R2, but they do not seem to work:

access-list 100 deny ip any 10.111.0.0 0.0.240.255
access-list 100 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group 100 out
!

These commands don't seem to work, but could it because of another reason like OSPF?

Should I be allowing everything to the ISP and denying everything else? How would I go about this?

Best Answer

As applied, your ACL is denying any IP traffic destined to 10.111.0.0 0.0.240.255 into Area 3. From what you described, I thought you wanted to deny traffic leaving Area 3, not entering it. The in and out keywords on the ip access-group command are from the perspective of the router, not the network or area, so the out that you use means anything outbound on the Area 3 interface (into Area 3).

You are probably trying to overthink the wildcard mask, which seems to be incorrect based on your question. It will not deny traffic to hosts in any other area. You probably just want something like 0.0.255.255, meaning you will deny traffic to any host in the 10.111.0.0/16 address range. It doesn't affect hosts in Area 3 from sending traffic to any host in Area 3. You can't do that from the router because the hosts in Area 3 are connected to a switch, and the traffic will pass directly from host to host, not through the router.

You probably want something like this:

access-list 10 deny ip any 10.111.0.0 0.0.255.255
access-list 10 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group 10 in
!

Best Answer

Related Solutions

Cisco ACL – ACL Question: Access-List Permit IP Any Any

Cisco ACL – Understanding Cisco Extended Access Control Lists

Related Topic