ACL Issue 1

[jkaftan]

I have a network (VLAN8) that I want isolated from the rest of the network. I am trying to create an ACL that will block 10.0.0.0/8 from getting to this network. When I setup the ACL it does not work.

1. I define the ACL

ip access-list extended Honeywell
deny icmp 10.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
permit ip any any

2. I setup the VLAN Interface and add the ACL inbound on the interface.

interface Vlan8
ip address 192.168.1.1 255.255.255.0
ip access-group Honeywell in

This should do the trick. However I can ping an device on this network all day long from the 10.X networks. Afterwards I do a "sh ip access-lists" and get no hits.

Results of a "sh ip access-lists"

Extended IP access list Honeywell
10 deny icmp 10.0.0.0 0.255.255.255 any
20 deny ip 10.0.0.0 0.255.255.255 any
30 permit ip any any

If I shut down interface VLAN 8 the ping fails so I know I am using the correct interface.

Where is my folly? Thanks

 

[burtsbees]

What interface is the acl applied to?

Burt

 

[brianinms]

Your access-list is backwards

 

[burtsbees]

My goodness I'm blind...
I see you apply it to the vlan, but if you don't want any traffic going from the 10.0.0.0/8 subnet to the 192.168.1.0/24 network, then...
access-list 101 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
Then apply it inbound to the 192.168.1.0/24 nw interface.

Burt

 

[jkaftan]

Burt

Of course! I was thinking that I do not want any traffic from 10.0.0.0 to go to "any" traffic through that port, like in a firewall.

Thanks.