[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference kernel::cisco

Title:	CISCO
Notice:	<<< The Menlo Park Routers >>>
Moderator:	KERNEL::SYSTEM

Created:	Wed May 26 1993
Last Modified:	Thu Jun 05 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	515
Total number of notes:	1440

511.0. "IP access list" by TPOVC::MIKECHANG () Mon May 26 1997 16:47

 Hardware/SW Platform : 7507
 IOS Software Version : 11.2
 Feature Set 	      : Authentication
 Problem Summary      : Deny is oneway or bi-dirction in standar IP access list
 Problem Description  :


    		    Host A(192.168.1.1)   B(192.168.1.2)     CISCO 7507
         		   |   			  |	    
   192.168.1.0 VLAN A    --+----------------------+----------FastE1/0.10
   192.168.2.0 VLAN B    ------------------------------------FastE1/0.20
   192.168.6.0 VLAN C    --------+---------------------------FastE1/0.30
               			 |
         		Host C(192.168.6.3)

The configuration is shown above,3VLAN are connected by Catalyst 5000 and trunk
to CISCO 7507. The goal of access list is to deny host B to access the host of
192.168.6.0  Per manual setting is done BUT the result is diffenent and 
unexpected,anything is wrong please point it out,your input are very appreciated

 access-list 1 deny   192.168.1.2  0.0.0.0
 access-list 1 permit 192.168.1.1  0.0.0.0  (for troubleshooting only)  
 access-list 1 permit any

 Interface FastE1/0.30
 ip access-group 1 out

 The result : 

 a) Host B ping host C,We got ICMP_TYPE(3) message (ie. Dest Unreachable) in 
    each ping ICMP packet in host B and final return "192.168.6.3 does not 
    Responde" 
 b) BUT host C ping host B,wait and untill timeout and got "192.168.1.2 does 
    not responde" message.

  The deny is bi-direction ? anything is wrong ?

T.R Title User Personal
Name Date Lines

511.1 Not the accesslist, but PING is BI-directional MUNICH::SCHALLER Eva Schaller *DSC* 895-6146 Mon Jun 02 1997 15:01 11

T.R	Title	User	Personal Name	Date	Lines
511.1	Not the accesslist, but PING is BI-directional	MUNICH::SCHALLER	Eva Schaller DSC 895-6146	`Mon Jun 02 1997 15:01`	11
	If you ping a host, you send an echo request and the other one has to answer with echo reply, which host B cannot send back to host c due to the access list. You can see this with putting a terminal to host B and doing a DEBUG IP ICMP. The message from host C should show up and also the reply from B, which is then blocked. Its not bi directional (except if there is a bug also), but some protocols expect replies. If they are blocked, they also treat this as beeing unreachable. regards eva

    If you ping a host, you send an echo request and the other one has to
    answer with echo reply, which host B cannot send back to host c due to
    the access list. You can see this with putting a terminal to host B
    and doing a DEBUG IP ICMP. The message from host C should show up and
    also the reply from B, which is then blocked.
    
    Its not bi directional (except if there is a bug also), but some
    protocols expect replies. If they are blocked, they also treat this as
    beeing unreachable.
    
    regards eva