cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
323
Views
10
Helpful
5
Replies

Access-List Suggestion

b.petronio
Level 3
Level 3

Hi all,

Imagine i have one FastEthernet interface with 2 networks configured.

In Ex:

Fast 0/0

ip address 172.23.55.254 255.255.255.0

ip address 172.24.55.254 255.255.255.0 secundary

I dont want that the users from one network can reach the other network users.

What kind of access-list should be better to perfomr this?

Many tks.

Petr?nio

1 Accepted Solution

Accepted Solutions

Hi Rick,

I believe when there are 2 hosts in different subnet though they are in same vlan and when anyone of them initiate a ping to another one because my client knows that request is for someone on other subnet , it will initiate an arp request for gateway address and gateway will respond with its mac and it will always hit router first.

So I tried the same setup in my test bed and captured the traffic and checked that any ping request is hitting my router first with destination mac address as my router interface mac address.

Regards,

Ankur

View solution in original post

5 Replies 5

ankbhasi
Cisco Employee
Cisco Employee

Hi Friend,

Try this

access-list 101 deny ip 172.23.55.0 0.0.0.255 172.24.55.0 0.0.0.255

access-list 101 deny ip 172.24.55.0 0.0.0.255 172.23.55.0 0.0.0.255

access-list 101 permit ip any any

interface fa0/0

ip access-group 101 in

I believe it should work. Try this and update the status.

HTH

Ankur

*Pls rate all helpfull post

Ankur

Your answer looks logical and would be effective for traffic that depended on the router to forward it. But it ignores a basic reality in the original question. If there is a router interface with a primary subnet and a secondary subnet, then both subnets are in the same broadcast domain and any device in 172.23.55 could potentially ARP for any device in 172.24.55, receive a response and communicate directly without using the router at all.

Your answer is the best that we can do on the router, but we need to recognize that it is quite possible that the end stations may communicate directly without needing the router at all. And therefore the router may not be capable of preventing communication between 172.23.55 and 172.24.55.

If the question had asked about 2 subnets on different VLANs and the router were trunking, then an access list solution could be effective, but with secondary addressing the router may or may not be able to control this traffic.

HTH

Rick

HTH

Rick

Hi Rick,

I believe when there are 2 hosts in different subnet though they are in same vlan and when anyone of them initiate a ping to another one because my client knows that request is for someone on other subnet , it will initiate an arp request for gateway address and gateway will respond with its mac and it will always hit router first.

So I tried the same setup in my test bed and captured the traffic and checked that any ping request is hitting my router first with destination mac address as my router interface mac address.

Regards,

Ankur

Ankur

I think that there are at least 2 aspects of this to consider:

- whether the end station will ARP for other destinations depends a bit on the IP stack that it is running and on how the end station is configured. Some end stations will not ARP but some may ARP.

- if the router receives a packet on an interface and forwards the packet back out the same interface, the IOS will generate a redirect to the originating device (you may disable this but it is enabled by default). If the originating device receives a redirect it may then use this information and communicate directly.

I believe that the bottom line is that the router MAY be able to control traffic between the subnets but it also may not be able to control. You certainly can not say that the router WILL control traffic between subnets. I believe that any design which has a requirement to control traffic between 2 subnets or networks and then puts both subnets into the same VLAN is a poor design and puts itself into a situation where its requirements may not be fully achieved.

HTH

Rick

HTH

Rick

I have some more output's, for ur analysis and conclusions, since i have perform a tests with the given ACL.

Rt#ping

Protocol [ip]:

Target IP address: 172.24.74.254

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 172.23.74.254

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.24.74.254, timeout is 2 seconds:

Packet sent with a source address of 172.23.74.254

U.U.U

*Oct 8 04:10:22.867: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 172.23.74.254 -> 172.24.74.254 (0/0), 1 packet

Success rate is 0 percent (0/5)

Rt#ping

Protocol [ip]:

Target IP address: 172.23.74.254

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 172.24.74.254

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.23.74.254, timeout is 2 seconds:

Packet sent with a source address of 172.24.74.254

.....

*Oct 8 04:10:44.611: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 172.24.74.254 -> 172.23.74.254 (0/0), 1 packet

Success rate is 0 percent (0/5)

Rt#

Now i can see that the acl works fine, but why im getting "U"nreachable in one way and not in the other ?

*****

Sy, i had editted this message for better understanding, and included a log in each acl sentence.

Best Regards,

Petr?nio

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: