Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL Not working on Sub Interface

Configuring a Guest Subnet on a Remote Office Router:

Have Interface on Router Gig 0/0 with 3 Sub ints...

0/0.17 --> for Guests

0/0.31 --> for Prod Hosts

0/0.32 --> for Voice Hosts

Applied these list to 0/0.17

interface GigabitEthernet0/0.17

encapsulation dot1Q 17

ip address 172.17.10.1 255.255.255.0

ip access-group GuestIN in

ip access-group GuestOUT out

ip access-list extended GuestIN

remark Permit DHCP

permit udp any any eq bootps

permit udp any any eq bootpc

permit icmp any any

ip access-list extended GuestOUT

remark Permit DHCP & DMZ HTTP & HTTPS

permit udp any any eq bootps

permit udp any any eq bootpc

permit tcp any 10.200.12.0 0.0.0.255 eq www reflect OUTportfilter

permit tcp any 10.200.12.0 0.0.0.255 eq 443 reflect OUTportfilter

permit tcp any 10.200.10.0 0.0.0.255 eq www reflect OUTportfilter

permit tcp any 10.200.10.0 0.0.0.255 eq 443 reflect OUTportfilter

deny ip any 10.0.0.0 0.255.255.255

permit ip any any reflect OUTportfilter

After applying these 2 lists.

I can still telnet to hosts in the 10.221.40.0 network and or ping hosts in the 10.221.40.0 network. Am I missing something?

2 REPLIES
New Member

Re: ACL Not working on Sub Interface

Hi, I do believe you will have to deny telnet on port 23 for the network 10.0.0.0 and ping uses ICMP echo response which I dont see a entry to deny ICMP. You have denied IP traffic on the 10.0.0.0 network. So the guest should not receive any IP traffic from that network.

D

New Member

Re: ACL Not working on Sub Interface

Hi Jacob-Harris

As you said you can telnet and ping, you telnet and ping by used router or any other host from other subnet ?

162
Views
0
Helpful
2
Replies