Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL problem

Hi!

I got 2 subinterfaces configured with dot1q and using extended acl(both in bound). What i'm trying to achieve here is that host from subinterface A(10.1.9.X subnet) is able to access host on subinterface B(10.1.10.X subnet), but not from 10.1.10.x to 10.1.9.x.

I've tried the following acl on one of the host:

access-list 111 permit ip host 10.1.9.100 any (Applied inbound on subinterface A)

access-list 112 permit tcp host 10.1.10.100 10.71.9.100 established (Applied inbound on subinterface b)

Once the 112 config is applied on subinterface B, i noticed that i can't ping from either subnet. Any idea how to achieve what i required above?

Another question is, what's the different between "Request Time Out" and "Reply from 10.x.x.x, Destination host unreachable"? Thanks.

3 REPLIES
Blue

Re: ACL problem

try the following ACL(s):

access-list 111 permit ip host 10.1.9.100 host 10.1.10.100 established

access-list 111 permit ip host 10.1.9.100 any (apply this inbound to INT-A)

this should allow 10.1.9.100 to make ip connections to 10.1.10.100 as well as allow 10.1.10.100 to send packets back to 10.1.9.100 for established TCP sessions only. (while still allowing all other subnets to establish connections with 10.1.9.100)

also, RequestTimedOut means the router attempted to forward the packet and got no response/ack.

Reply from x.x.x.x: Desintation Unreachable means that the router has received an ICMP when it forwarded the packet. this ICMP was sent back to the forwarding router, from the last hop router that received the packet, to state that the destination network/host does not exist in the routing table so it did not know where to forward the packet and had to drop it.

New Member

Re: ACL problem

Hi! I haven't got the chance to try that out. Would the "established" command work on IP? or just TCP? Is the command given above, the normal way to achieve this one way initialization only requirement?

For the "request time out" and "reply from x.x.x.x Destination unreahable", what which would be a better way of filtering traffic? eg. if the message "reply from x.x.x.x" Destination Unreachable" is from that subnet's gateway?

Thanks.

Blue

Re: ACL problem

'established' is for a TCP session as tcp is connection oriented. (the session is therefore established if the packet has the ACK, PSH, RST, SYN, FIN or URG bits set)

you requested a one-way restriction, so this will provide a one-way restiction.

(also, you can use "access-list 111 deny ip host 10.1.9.100 host 10.1.10.100" after the first entry; think i forgot that)

for your last question, yes, filter as close to the source as possible. (this prevents other parts of the network from allocating resources for packets that are only going to get dropped further out)

if you send out a packet and are getting a destUnreachable from 4 hops away, and you know that you cannot get that destination to respond, and you would like to keep the 3 previous hops from having to process packets that will be dropped, yes, filter at your router(1st hop), closest to the source. (does this make sense?)

115
Views
0
Helpful
3
Replies
CreatePlease to create content