ACL Not working on Sub Interface

Jacob-Harris · ‎04-21-2008

Configuring a Guest Subnet on a Remote Office Router:

Have Interface on Router Gig 0/0 with 3 Sub ints...

0/0.17 --> for Guests

0/0.31 --> for Prod Hosts

0/0.32 --> for Voice Hosts

Applied these list to 0/0.17

interface GigabitEthernet0/0.17

encapsulation dot1Q 17

ip address 172.17.10.1 255.255.255.0

ip access-group GuestIN in

ip access-group GuestOUT out

ip access-list extended GuestIN

remark Permit DHCP

permit udp any any eq bootps

permit udp any any eq bootpc

permit icmp any any

ip access-list extended GuestOUT

remark Permit DHCP & DMZ HTTP & HTTPS

permit udp any any eq bootps

permit udp any any eq bootpc

permit tcp any 10.200.12.0 0.0.0.255 eq www reflect OUTportfilter

permit tcp any 10.200.12.0 0.0.0.255 eq 443 reflect OUTportfilter

permit tcp any 10.200.10.0 0.0.0.255 eq www reflect OUTportfilter

permit tcp any 10.200.10.0 0.0.0.255 eq 443 reflect OUTportfilter

deny ip any 10.0.0.0 0.255.255.255

permit ip any any reflect OUTportfilter

After applying these 2 lists.

I can still telnet to hosts in the 10.221.40.0 network and or ping hosts in the 10.221.40.0 network. Am I missing something?

williamsdo · ‎04-21-2008

Hi, I do believe you will have to deny telnet on port 23 for the network 10.0.0.0 and ping uses ICMP echo response which I dont see a entry to deny ICMP. You have denied IP traffic on the 10.0.0.0 network. So the guest should not receive any IP traffic from that network.

D

pccthailand · ‎04-22-2008

Hi Jacob-Harris

As you said you can telnet and ping, you telnet and ping by used router or any other host from other subnet ?