ACL Not working on Sub Interface

Unanswered Question
Apr 21st, 2008
User Badges:

Configuring a Guest Subnet on a Remote Office Router:


Have Interface on Router Gig 0/0 with 3 Sub ints...

0/0.17 --> for Guests

0/0.31 --> for Prod Hosts

0/0.32 --> for Voice Hosts


Applied these list to 0/0.17


interface GigabitEthernet0/0.17

encapsulation dot1Q 17

ip address 172.17.10.1 255.255.255.0

ip access-group GuestIN in

ip access-group GuestOUT out


ip access-list extended GuestIN

remark Permit DHCP

permit udp any any eq bootps

permit udp any any eq bootpc

permit icmp any any

ip access-list extended GuestOUT

remark Permit DHCP & DMZ HTTP & HTTPS

permit udp any any eq bootps

permit udp any any eq bootpc

permit tcp any 10.200.12.0 0.0.0.255 eq www reflect OUTportfilter

permit tcp any 10.200.12.0 0.0.0.255 eq 443 reflect OUTportfilter

permit tcp any 10.200.10.0 0.0.0.255 eq www reflect OUTportfilter

permit tcp any 10.200.10.0 0.0.0.255 eq 443 reflect OUTportfilter

deny ip any 10.0.0.0 0.255.255.255

permit ip any any reflect OUTportfilter


After applying these 2 lists.


I can still telnet to hosts in the 10.221.40.0 network and or ping hosts in the 10.221.40.0 network. Am I missing something?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
williamsdo@si.edu Mon, 04/21/2008 - 11:44
User Badges:
  • Bronze, 100 points or more

Hi, I do believe you will have to deny telnet on port 23 for the network 10.0.0.0 and ping uses ICMP echo response which I dont see a entry to deny ICMP. You have denied IP traffic on the 10.0.0.0 network. So the guest should not receive any IP traffic from that network.

D

pccthailand Tue, 04/22/2008 - 20:20
User Badges:

Hi Jacob-Harris


As you said you can telnet and ping, you telnet and ping by used router or any other host from other subnet ?



Actions

This Discussion