Solved: Re: Access-List Question

austindaz · ‎04-06-2008

Hi There;

I am using the 'router-on-a-stick' method with 5 VLANS and associated sub-interfaces. I created this access-list - 'access-list 102 permit icmp 192.168.20 (vlan number).0 0.0.0.255 172.30.0.0 (serial interface) 0.0.255.255. This works as intended - I can ping the 172.30.X.X serial interfaces and I cannot ping the other vlan devices. However, I want to be able to ping my own sub-interface but none of the other VLAN sub-interfaces.

thanks

Istvan_Rabai · ‎04-07-2008

Hi Darren,

if you add this line to the access-list, it will allow you to ping the interface with address 192.168.20.1.

Don't forget that at the end of an access-list there is a "deny ip any any" command.

So if you want to allow USER TRAFFIC to other destinations, then you should explicitly allow that traffic as well.

Cheers:

Istvan

View solution in original post

Istvan_Rabai · ‎04-06-2008

Hi Darren,

I hope I understand you config well. You should add a line to the access-list allowing the address of the subinterface:

access-list 102 permit icmp 192.168.20 (vlan number).0 0.0.0.255 172.30.0.0 (serial interface) 0.0.255.255.

access-list 102 permit icmp 192.168.20 (vlan number).0 0.0.0.255 x.x.x.x (subinterface) y.y.y.y

Cheers:

Istvan

austindaz · ‎04-06-2008

Hi There;

The address I want to get to is 192.168.20.1. So would I write 'access-list 102 permit icmp 192.168.20.0 0.0.0.255 192.168.20.1 0.0.0.0'

thanks

Istvan_Rabai · ‎04-07-2008

Hi Darren,

if you add this line to the access-list, it will allow you to ping the interface with address 192.168.20.1.

Don't forget that at the end of an access-list there is a "deny ip any any" command.

So if you want to allow USER TRAFFIC to other destinations, then you should explicitly allow that traffic as well.

Cheers:

Istvan