Access-List Question

Answered Question
Apr 6th, 2008

Hi There;


I am using the 'router-on-a-stick' method with 5 VLANS and associated sub-interfaces. I created this access-list - 'access-list 102 permit icmp 192.168.20 (vlan number).0 0.0.0.255 172.30.0.0 (serial interface) 0.0.255.255. This works as intended - I can ping the 172.30.X.X serial interfaces and I cannot ping the other vlan devices. However, I want to be able to ping my own sub-interface but none of the other VLAN sub-interfaces.


thanks

Correct Answer by Istvan_Rabai about 8 years 10 months ago

Hi Darren,


if you add this line to the access-list, it will allow you to ping the interface with address 192.168.20.1.


Don't forget that at the end of an access-list there is a "deny ip any any" command.


So if you want to allow USER TRAFFIC to other destinations, then you should explicitly allow that traffic as well.


Cheers:

Istvan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Istvan_Rabai Sun, 04/06/2008 - 22:41

Hi Darren,


I hope I understand you config well. You should add a line to the access-list allowing the address of the subinterface:


access-list 102 permit icmp 192.168.20 (vlan number).0 0.0.0.255 172.30.0.0 (serial interface) 0.0.255.255.

access-list 102 permit icmp 192.168.20 (vlan number).0 0.0.0.255 x.x.x.x (subinterface) y.y.y.y


Cheers:

Istvan




austindaz Sun, 04/06/2008 - 23:26

Hi There;


The address I want to get to is 192.168.20.1. So would I write 'access-list 102 permit icmp 192.168.20.0 0.0.0.255 192.168.20.1 0.0.0.0'


thanks

Correct Answer
Istvan_Rabai Mon, 04/07/2008 - 02:03

Hi Darren,


if you add this line to the access-list, it will allow you to ping the interface with address 192.168.20.1.


Don't forget that at the end of an access-list there is a "deny ip any any" command.


So if you want to allow USER TRAFFIC to other destinations, then you should explicitly allow that traffic as well.


Cheers:

Istvan

Actions

This Discussion