05-20-2007 10:42 AM - edited 03-05-2019 04:10 PM
Hi all,
Imagine i have one FastEthernet interface with 2 networks configured.
In Ex:
Fast 0/0
ip address 172.23.55.254 255.255.255.0
ip address 172.24.55.254 255.255.255.0 secundary
I dont want that the users from one network can reach the other network users.
What kind of access-list should be better to perfomr this?
Many tks.
Petr?nio
Solved! Go to Solution.
05-21-2007 03:39 AM
Hi Rick,
I believe when there are 2 hosts in different subnet though they are in same vlan and when anyone of them initiate a ping to another one because my client knows that request is for someone on other subnet , it will initiate an arp request for gateway address and gateway will respond with its mac and it will always hit router first.
So I tried the same setup in my test bed and captured the traffic and checked that any ping request is hitting my router first with destination mac address as my router interface mac address.
Regards,
Ankur
05-20-2007 10:50 AM
Hi Friend,
Try this
access-list 101 deny ip 172.23.55.0 0.0.0.255 172.24.55.0 0.0.0.255
access-list 101 deny ip 172.24.55.0 0.0.0.255 172.23.55.0 0.0.0.255
access-list 101 permit ip any any
interface fa0/0
ip access-group 101 in
I believe it should work. Try this and update the status.
HTH
Ankur
*Pls rate all helpfull post
05-20-2007 05:44 PM
Ankur
Your answer looks logical and would be effective for traffic that depended on the router to forward it. But it ignores a basic reality in the original question. If there is a router interface with a primary subnet and a secondary subnet, then both subnets are in the same broadcast domain and any device in 172.23.55 could potentially ARP for any device in 172.24.55, receive a response and communicate directly without using the router at all.
Your answer is the best that we can do on the router, but we need to recognize that it is quite possible that the end stations may communicate directly without needing the router at all. And therefore the router may not be capable of preventing communication between 172.23.55 and 172.24.55.
If the question had asked about 2 subnets on different VLANs and the router were trunking, then an access list solution could be effective, but with secondary addressing the router may or may not be able to control this traffic.
HTH
Rick
05-21-2007 03:39 AM
Hi Rick,
I believe when there are 2 hosts in different subnet though they are in same vlan and when anyone of them initiate a ping to another one because my client knows that request is for someone on other subnet , it will initiate an arp request for gateway address and gateway will respond with its mac and it will always hit router first.
So I tried the same setup in my test bed and captured the traffic and checked that any ping request is hitting my router first with destination mac address as my router interface mac address.
Regards,
Ankur
05-21-2007 06:01 AM
Ankur
I think that there are at least 2 aspects of this to consider:
- whether the end station will ARP for other destinations depends a bit on the IP stack that it is running and on how the end station is configured. Some end stations will not ARP but some may ARP.
- if the router receives a packet on an interface and forwards the packet back out the same interface, the IOS will generate a redirect to the originating device (you may disable this but it is enabled by default). If the originating device receives a redirect it may then use this information and communicate directly.
I believe that the bottom line is that the router MAY be able to control traffic between the subnets but it also may not be able to control. You certainly can not say that the router WILL control traffic between subnets. I believe that any design which has a requirement to control traffic between 2 subnets or networks and then puts both subnets into the same VLAN is a poor design and puts itself into a situation where its requirements may not be fully achieved.
HTH
Rick
05-21-2007 07:35 AM
I have some more output's, for ur analysis and conclusions, since i have perform a tests with the given ACL.
Rt#ping
Protocol [ip]:
Target IP address: 172.24.74.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.23.74.254
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.74.254, timeout is 2 seconds:
Packet sent with a source address of 172.23.74.254
U.U.U
*Oct 8 04:10:22.867: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 172.23.74.254 -> 172.24.74.254 (0/0), 1 packet
Success rate is 0 percent (0/5)
Rt#ping
Protocol [ip]:
Target IP address: 172.23.74.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.24.74.254
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.74.254, timeout is 2 seconds:
Packet sent with a source address of 172.24.74.254
.....
*Oct 8 04:10:44.611: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 172.24.74.254 -> 172.23.74.254 (0/0), 1 packet
Success rate is 0 percent (0/5)
Rt#
Now i can see that the acl works fine, but why im getting "U"nreachable in one way and not in the other ?
*****
Sy, i had editted this message for better understanding, and included a log in each acl sentence.
Best Regards,
Petr?nio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: