Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Applying ACL on 2600 with ATM

Hi,

I'm having an issue trying to apply an ACL to a 2600 router. Whenever the ACL is applied to the E0/0 interface, all network access to the router is stopped. I'm wondering if this has something to do with the router doing ATM??? I'll post the config below. Basically we're trying to only allow http access to the outside from 10.35.0.x and prevent from 10.35.1-255.x

Any help is greatly appreciated.

Config

-------

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Botkins_2610

!

enable secret 5 *********

!

!

!

!

!

memory-size iomem 15

ip subnet-zero

!

!

!

!

!

!

interface Ethernet0/0

ip address 192.168.0.1 255.255.255.0 secondary

ip address 10.35.0.1 255.255.0.0

no ip directed-broadcast

half-duplex

!

interface ATM1/0

no ip address

no ip directed-broadcast

atm vc-per-vp 4096

no atm ilmi-keepalive

!

interface ATM1/0.23 multipoint

description pvc to WOCO

ip address 10.200.23.2 255.255.255.0

no ip directed-broadcast

map-group woco

atm pvc 23 0 123 aal5snap

!

ip classless

ip route 0.0.0.0 0.0.x.x.200.23.1

no ip http server

!

!

map-list woco

ip 10.200.23.1 atm-vc 23 broadcast

access-list 100 permit tcp 10.35.0.0 0.0.0.255 any eq www

snmp-server engineID local xxx

snmp-server community public RO

snmp-server community string RO

snmp-server community community RO

snmp-server community en RO

!

!

line con 0

transport input none

line aux 0

line vty 0 4

password ****

login

!

no scheduler allocate

end

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Applying ACL on 2600 with ATM

Mike

As you have figured out, the implied deny at the bottom of an access list (both extended access list and standard access list) is a deny for everything not just for the particular protocol and port that you permitted.

Even though the router will be looking at all packets going over the interface it is a fairly simple access list and I would not expect to see a significant performance hit from applying the access list.

HTH

Rick

4 REPLIES
Hall of Fame Super Silver

Re: Applying ACL on 2600 with ATM

Mike

You have not showed us how you are applying the access list. From the way it is structured I am assuming that you apply it with ip access-group 100 in under the Ethernet interface. Is that correct?

The explanation of your problem is relatively simple: your access list appears to have a single line which permits a single /24 subnet to access www anywhere. In every access list there is an implied deny ip any any at the bottom of the list. So that anything that is not permitted is denied. If you want to allow this particular subnet to access www, to allow no other subnet to access www, and then to allow all other traffic this I would suggest that you use an access list like this:

access-list 100 permit tcp 10.35.0.0 0.0.0.255 any eq www

access-list 100 deny tcp any any eq www

access-list 100 permit ip any any

This will allow the www access from the particular subnet, will deny all other www access, and will permit other traffic. If that is not what you want to accomplish then perhaps you can clarify your requirements.

HTH

Rick

New Member

Re: Applying ACL on 2600 with ATM

Rick,

Yes, that is correct, I'm applying it to "in" on the E0/0 interface.

I see what you're saying about the implied deny. I'm going through CCNA classes, and from what I understood is that there would be an implied deny for just www (or whatever permit I had entered) and not all IP traffic if I use an extended list... I guess this is not the case.

Thank you so much for solving this.

-Mike

New Member

Re: Applying ACL on 2600 with ATM

One more question... This router is connected to the rest of our WAN via a T1 line. With a 2600 router, do you think this ACL will have a big performance degradation since it will have to look at every packet now?

Thanks,

-Mike

Hall of Fame Super Silver

Re: Applying ACL on 2600 with ATM

Mike

As you have figured out, the implied deny at the bottom of an access list (both extended access list and standard access list) is a deny for everything not just for the particular protocol and port that you permitted.

Even though the router will be looking at all packets going over the interface it is a fairly simple access list and I would not expect to see a significant performance hit from applying the access list.

HTH

Rick

111
Views
0
Helpful
4
Replies
CreatePlease login to create content