04-06-2008 07:44 PM - edited 03-05-2019 10:13 PM
Hi There;
I am using the 'router-on-a-stick' method with 5 VLANS and associated sub-interfaces. I created this access-list - 'access-list 102 permit icmp 192.168.20 (vlan number).0 0.0.0.255 172.30.0.0 (serial interface) 0.0.255.255. This works as intended - I can ping the 172.30.X.X serial interfaces and I cannot ping the other vlan devices. However, I want to be able to ping my own sub-interface but none of the other VLAN sub-interfaces.
thanks
Solved! Go to Solution.
04-07-2008 02:03 AM
Hi Darren,
if you add this line to the access-list, it will allow you to ping the interface with address 192.168.20.1.
Don't forget that at the end of an access-list there is a "deny ip any any" command.
So if you want to allow USER TRAFFIC to other destinations, then you should explicitly allow that traffic as well.
Cheers:
Istvan
04-06-2008 10:41 PM
Hi Darren,
I hope I understand you config well. You should add a line to the access-list allowing the address of the subinterface:
access-list 102 permit icmp 192.168.20 (vlan number).0 0.0.0.255 172.30.0.0 (serial interface) 0.0.255.255.
access-list 102 permit icmp 192.168.20 (vlan number).0 0.0.0.255 x.x.x.x (subinterface) y.y.y.y
Cheers:
Istvan
04-06-2008 11:26 PM
Hi There;
The address I want to get to is 192.168.20.1. So would I write 'access-list 102 permit icmp 192.168.20.0 0.0.0.255 192.168.20.1 0.0.0.0'
thanks
04-07-2008 02:03 AM
Hi Darren,
if you add this line to the access-list, it will allow you to ping the interface with address 192.168.20.1.
Don't forget that at the end of an access-list there is a "deny ip any any" command.
So if you want to allow USER TRAFFIC to other destinations, then you should explicitly allow that traffic as well.
Cheers:
Istvan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide