So here is my config.
I want traffic coming from all networks except 172.23.1.0/24 to be blocked by inferface fa 0/0
So on the router I creater 2 ACLs
ACL 10
R1# access-list 10 permit 172.23.1.0 0.0.0.255
R1# access-list 10 deny any
ACL 101
R1# access-list 101 permit ip 172.23.1.0 0.0.0.255 10.10.10.0 0.0.0.255
Now I tried all the combination ip access-group 10 in
after that ip access-group 10 out
, after that ip access-group 101 in
and finnaly ip access-group 10 out
. All of these on interface fa 0/0 of R1…. But I can still ping hosts of 10.10.10.0/24 network with any body.
I'd like only host of 172.23.1.0/24 to be able to communicate with them… What did I do wrong here ?
Below is R1 Config
hostname R1
!
!
no ip cef
no ipv6 cef
!
!
username admin password 7 08204B471D1C09
!!
ip ssh version 1
ip domain-name mycorp.com
!!
!
interface FastEthernet0/0
no ip address
ip access-group 101 in
ip access-group 10 out
duplex auto
speed auto
!
interface FastEthernet0/0.2
encapsulation dot1Q 99
ip address 10.10.10.3 255.255.255.0
ip access-group 10 in
!
interface FastEthernet0/0.3
encapsulation dot1Q 100
ip address 10.100.100.3 255.255.255.0
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0
ip address 192.168.1.130 255.255.255.192
!
interface Serial0/1
no ip address
clock rate 2000000
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.129
!
ip flow-export version 9
!
!
access-list 15 permit 10.10.10.0 0.0.0.255
access-list 15 deny any
access-list 10 permit 172.23.1.0 0.0.0.255
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 deny any
!
!
line con 0
!
line aux 0
!
line vty 0 4
access-class 15 in
password 7 08204B471D1C09
login
line vty 5 15
access-class 15 in
login local
!
!
!
end
So below is the image of my network. Only PC2 only should be able to communicate with PC1. PC3 should not BUT it does…
Best Answer
First, placing an ACL on an interface with no addressing, e.g.
FastEthernet0/0
, doesn't work.Next, your ACL on
FastEthernet0/0.2
is permitting traffic from172.23.1.0/24
to come into the router from outside that interface, but there is no addressing in that network outside that interface. I'm not sure why you are permitting traffic from10.10.10/24
in that interface because that is the on traffic that could possibly com into the interface. I don't think you want to apply the ACL to that interface.Remember that standard ACLs should normally be applied as close to the destination as possible so that you do not block too much traffic, and extended ACLs should normally be applied to as close to the source as possible so that you don't route traffic unnecessarily. Also, remember that there is an implicit
deny any
at the end of an ACL.I think your
172.23.1.0/24
traffic is coming intoSerial0/0
. If that is the case, then you want to do this:Standard ACL
-or-
Extended ACL: