Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco AClL help

Status
Not open for further replies.
shapiro360

shapiro360

MIS
Joined
Oct 3, 2005
Messages
1
Location
US
I have a cisco 2612 router on my network that has 2 wic cards in it. One connects to another 2612 router that is directly connected to my backbone and the other wic connects to a router where I want to limit the users from acessing resources on my network. I am using T1 lines at all of the locations to connect each other. My question is where do I place the acl on the router with the 2 wics? On the in or outbound on the ethernet inteface? Serial 0/1 connects to the network I want to limit. I do not have access to the router this connects to and I dont want them to be able to access anything other than what i have listed in the acl.



User Access Verification

Password:
net-fm-T1rtr>ena
Password:
net-fm-T1rtr#show run
Building configuration...

Current configuration:
!
version 11.3
!
hostname net-fm-T1rtr
!
enable secret 5 $
!
memory-size iomem 10
ip subnet-zero
!
!
!
interface Loopback0
ip address xxxxxxxxx 255.255.255.255
no ip directed-broadcast
!
interface Ethernet0/0
ip address xxxxxxxxxx 255.255.255.0
ip access-group 150 out
no ip directed-broadcast
no lat enabled
!
interface Serial0/0
ip address xxxxxxxxxxx 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
service-module t1 clock source internal
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
!
interface Serial0/1
description **** T1 trunk to FM PD ****
ip address 10.1.39.1 255.255.255.0
service-module t1 clock source internal
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
!
router eigrp 21
redistribute static
network 10.0.0.0
network 192.168.5.0
no auto-summary
!
ip classless
ip route 192.168.5.0 255.255.255.0 10.1.39.2 (oher router)
access-list 150 deny ip 192.168.5.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 150 deny ip 192.168.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 150 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 permit ip 192.0.0.0 0.255.255.255 host 10.1.2.11
access-list 150 permit ip 192.0.0.0 0.255.255.255 host 10.1.3.32
access-list 150 permit ip any any
!
snmp-server community


!
line con 0
password
login
line aux 0
password
login
line vty 0 4
password
login
!
end

net-fm-T1rtr#
 
Sort by date Sort by votes
The extended ACL you've created gives you a fair bit of flexibility as to where you can place the ACL. Typically where you place the ACL comes down to a few things. However given what you've described, you could consider placing the ACL inbound on s/01. This will give you the benefit of reducing CPU overhead on the router in question.

If you place it on the Ethernet interface, you force the router to perform route loopups as normal, check the ACL and then discard it.

HTH
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
319
Blackybear
Blackybear
Jared R
  • Locked
  • Question Question
Cisco UC320W Paging Help
Replies
0
Views
696
Jared R
Jared R
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
401
badwolf1686
B
pbxcomm
  • Locked
  • Question Question
CISCO VG450
Replies
1
Views
810
nt8d09
nt8d09
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
557
CPM86
CPM86

Part and Inventory Search

Sponsor

Back
Top