Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

acl syntax

i have created the following access-list:

access-list 101 permit ip 10.193.101.0 0.0.0.255 host 25.1.3.252

access-list 101 permit ip 10.193.101.0 0.0.0.255 host 25.1.3.251

access-list 101 deny ip 10.193.101.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 deny ip 10.193.101.0 0.0.0.255 25.0.0.0 0.255.255.255

access-list 101 permit ip any any

i have applied to to a vlan interface, my goal was to create a vlan that would only have access to dns and the web and block access to my internal network which would be the 10.0.0.0 and the 25.0.0.0 networks. once i applied this i found that i still have access to my internal network. is there something wrong with my syntax? any suggestions?

3 REPLIES
New Member

Re: acl syntax

change the last line to "access-list 101 permit ip any any log", enable logging on the router and add "logging buffered debug". then test again, then show log to see why the traffic is being passed. the traffic you want blocked must be matching one of the permit statements in the list.

New Member

Re: acl syntax

i did as suggested, and it seems that the deny statements aren't working.

i changed the order they came in and entered them first in the access list, and they still do not work. why is this? as soon as the router finds a match it should exit the access-list and permit or deny the packet based on what it finds, why isn't this happening in my case?

New Member

Re: acl syntax

Please check your "access-group" statements:

You should write the statement as follows:

!

interface Vlan12

ip address 10.193.101.1 255.255.255.0

ip access-group 101 in

...

!

access-list 101 permit ip 10.193.101.0 0.0.0.255 host 25.1.3.252

access-list 101 permit ip 10.193.101.0 0.0.0.255 host 25.1.3.251

access-list 101 deny ip 10.193.101.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 deny ip 10.193.101.0 0.0.0.255 25.0.0.0 0.255.255.255

access-list 101 permit ip any any

!

Onur D CAKIR

219
Views
0
Helpful
3
Replies