Cisco – Why is the ACL not blocking traffic on the cisco router interface

aclciscointerfacerouterrouting

So here is my config.

I want traffic coming from all networks except 172.23.1.0/24 to be blocked by inferface fa 0/0

So on the router I creater 2 ACLs

ACL 10

R1# access-list 10 permit 172.23.1.0 0.0.0.255

R1# access-list 10 deny any

ACL 101

R1# access-list 101 permit ip 172.23.1.0 0.0.0.255 10.10.10.0 0.0.0.255

Now I tried all the combination ip access-group 10 in after that ip access-group 10 out, after that ip access-group 101 in and finnaly ip access-group 10 out. All of these on interface fa 0/0 of R1…. But I can still ping hosts of 10.10.10.0/24 network with any body.

I'd like only host of 172.23.1.0/24 to be able to communicate with them… What did I do wrong here ?

Below is R1 Config

hostname R1
!
!
no ip cef
no ipv6 cef
!
!
username admin password 7 08204B471D1C09
!!
ip ssh version 1
ip domain-name mycorp.com
!!
!
interface FastEthernet0/0
 no ip address
 ip access-group 101 in
 ip access-group 10 out
 duplex auto
 speed auto
!
interface FastEthernet0/0.2
 encapsulation dot1Q 99
 ip address 10.10.10.3 255.255.255.0
 ip access-group 10 in
!
interface FastEthernet0/0.3
 encapsulation dot1Q 100
 ip address 10.100.100.3 255.255.255.0
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0
 ip address 192.168.1.130 255.255.255.192
!
interface Serial0/1
 no ip address
 clock rate 2000000
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.129 
!
ip flow-export version 9
!
!
access-list 15 permit 10.10.10.0 0.0.0.255
access-list 15 deny any
access-list 10 permit 172.23.1.0 0.0.0.255
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 deny any
!
!
line con 0
!
line aux 0
!
line vty 0 4
 access-class 15 in
 password 7 08204B471D1C09
 login
line vty 5 15
 access-class 15 in
 login local
!
!
!
end

So below is the image of my network. Only PC2 only should be able to communicate with PC1. PC3 should not BUT it does…

My network

Best Answer

First, placing an ACL on an interface with no addressing, e.g. FastEthernet0/0, doesn't work.

Next, your ACL on FastEthernet0/0.2 is permitting traffic from 172.23.1.0/24 to come into the router from outside that interface, but there is no addressing in that network outside that interface. I'm not sure why you are permitting traffic from 10.10.10/24 in that interface because that is the on traffic that could possibly com into the interface. I don't think you want to apply the ACL to that interface.

Remember that standard ACLs should normally be applied as close to the destination as possible so that you do not block too much traffic, and extended ACLs should normally be applied to as close to the source as possible so that you don't route traffic unnecessarily. Also, remember that there is an implicit deny any at the end of an ACL.

I think your 172.23.1.0/24 traffic is coming into Serial0/0. If that is the case, then you want to do this:

Standard ACL

access-list 10 permit 172.23.1.0 0.0.0.255
!
interface FastEthernet0/0.2
 ip access-group 10 out
!

-or-

Extended ACL:

access-list 101 permit ip 172.23.1.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 deny ip any 10.10.10.0 0.0.0.255
access-list 101 permit ip any any
!
interface Serial0/0
 ip access-group 101 in
!
Related Topic