I got 2 subinterfaces configured with dot1q and using extended acl(both in bound). What i'm trying to achieve here is that host from subinterface A(10.1.9.X subnet) is able to access host on subinterface B(10.1.10.X subnet), but not from 10.1.10.x to 10.1.9.x.
I've tried the following acl on one of the host:
access-list 111 permit ip host 10.1.9.100 any (Applied inbound on subinterface A)
access-list 112 permit tcp host 10.1.10.100 10.71.9.100 established (Applied inbound on subinterface b)
Once the 112 config is applied on subinterface B, i noticed that i can't ping from either subnet. Any idea how to achieve what i required above?
Another question is, what's the different between "Request Time Out" and "Reply from 10.x.x.x, Destination host unreachable"? Thanks.
access-list 111 permit ip host 10.1.9.100 host 10.1.10.100 established
access-list 111 permit ip host 10.1.9.100 any (apply this inbound to INT-A)
this should allow 10.1.9.100 to make ip connections to 10.1.10.100 as well as allow 10.1.10.100 to send packets back to 10.1.9.100 for established TCP sessions only. (while still allowing all other subnets to establish connections with 10.1.9.100)
also, RequestTimedOut means the router attempted to forward the packet and got no response/ack.
Reply from x.x.x.x: Desintation Unreachable means that the router has received an ICMP when it forwarded the packet. this ICMP was sent back to the forwarding router, from the last hop router that received the packet, to state that the destination network/host does not exist in the routing table so it did not know where to forward the packet and had to drop it.
Hi! I haven't got the chance to try that out. Would the "established" command work on IP? or just TCP? Is the command given above, the normal way to achieve this one way initialization only requirement?
For the "request time out" and "reply from x.x.x.x Destination unreahable", what which would be a better way of filtering traffic? eg. if the message "reply from x.x.x.x" Destination Unreachable" is from that subnet's gateway?
'established' is for a TCP session as tcp is connection oriented. (the session is therefore established if the packet has the ACK, PSH, RST, SYN, FIN or URG bits set)
you requested a one-way restriction, so this will provide a one-way restiction.
(also, you can use "access-list 111 deny ip host 10.1.9.100 host 10.1.10.100" after the first entry; think i forgot that)
for your last question, yes, filter as close to the source as possible. (this prevents other parts of the network from allocating resources for packets that are only going to get dropped further out)
if you send out a packet and are getting a destUnreachable from 4 hops away, and you know that you cannot get that destination to respond, and you would like to keep the 3 previous hops from having to process packets that will be dropped, yes, filter at your router(1st hop), closest to the source. (does this make sense?)
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...