Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
4
Replies

Applying ACL on 2600 with ATM

Go to solution
chantman06
Level 1
Level 1

‎12-03-2006 06:31 PM - edited ‎03-03-2019 02:54 PM

Hi,

I'm having an issue trying to apply an ACL to a 2600 router. Whenever the ACL is applied to the E0/0 interface, all network access to the router is stopped. I'm wondering if this has something to do with the router doing ATM??? I'll post the config below. Basically we're trying to only allow http access to the outside from 10.35.0.x and prevent from 10.35.1-255.x

Any help is greatly appreciated.

Config

-------

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Botkins_2610

!

enable secret 5 *********

!

!

!

!

!

memory-size iomem 15

ip subnet-zero

!

!

!

!

!

!

interface Ethernet0/0

ip address 192.168.0.1 255.255.255.0 secondary

ip address 10.35.0.1 255.255.0.0

no ip directed-broadcast

half-duplex

!

interface ATM1/0

no ip address

no ip directed-broadcast

atm vc-per-vp 4096

no atm ilmi-keepalive

!

interface ATM1/0.23 multipoint

description pvc to WOCO

ip address 10.200.23.2 255.255.255.0

no ip directed-broadcast

map-group woco

atm pvc 23 0 123 aal5snap

!

ip classless

ip route 0.0.0.0 0.0.x.x.200.23.1

no ip http server

!

!

map-list woco

ip 10.200.23.1 atm-vc 23 broadcast

access-list 100 permit tcp 10.35.0.0 0.0.0.255 any eq www

snmp-server engineID local xxx

snmp-server community public RO

snmp-server community string RO

snmp-server community community RO

snmp-server community en RO

!

!

line con 0

transport input none

line aux 0

line vty 0 4

password ****

login

!

no scheduler allocate

end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to chantman06

‎12-04-2006 06:12 AM

Mike

As you have figured out, the implied deny at the bottom of an access list (both extended access list and standard access list) is a deny for everything not just for the particular protocol and port that you permitted.

Even though the router will be looking at all packets going over the interface it is a fairly simple access list and I would not expect to see a significant performance hit from applying the access list.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎12-03-2006 07:10 PM

Mike

You have not showed us how you are applying the access list. From the way it is structured I am assuming that you apply it with ip access-group 100 in under the Ethernet interface. Is that correct?

The explanation of your problem is relatively simple: your access list appears to have a single line which permits a single /24 subnet to access www anywhere. In every access list there is an implied deny ip any any at the bottom of the list. So that anything that is not permitted is denied. If you want to allow this particular subnet to access www, to allow no other subnet to access www, and then to allow all other traffic this I would suggest that you use an access list like this:

access-list 100 permit tcp 10.35.0.0 0.0.0.255 any eq www

access-list 100 deny tcp any any eq www

access-list 100 permit ip any any

This will allow the www access from the particular subnet, will deny all other www access, and will permit other traffic. If that is not what you want to accomplish then perhaps you can clarify your requirements.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
chantman06
Level 1
Level 1
In response to Richard Burts

‎12-04-2006 05:30 AM

Rick,

Yes, that is correct, I'm applying it to "in" on the E0/0 interface.

I see what you're saying about the implied deny. I'm going through CCNA classes, and from what I understood is that there would be an implied deny for just www (or whatever permit I had entered) and not all IP traffic if I use an extended list... I guess this is not the case.

Thank you so much for solving this.

-Mike

0 Helpful

Go to solution
chantman06
Level 1
Level 1
In response to chantman06

‎12-04-2006 05:34 AM

One more question... This router is connected to the rest of our WAN via a T1 line. With a 2600 router, do you think this ACL will have a big performance degradation since it will have to look at every packet now?

Thanks,

-Mike

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to chantman06

‎12-04-2006 06:12 AM

Mike

As you have figured out, the implied deny at the bottom of an access list (both extended access list and standard access list) is a deny for everything not just for the particular protocol and port that you permitted.

Even though the router will be looking at all packets going over the interface it is a fairly simple access list and I would not expect to see a significant performance hit from applying the access list.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card