https://community.cisco.com/t5/network-security/blocking-one-way-traffic-on-subinterface-vlans/m-p/1583530#M577827 <HTML><HEAD></HEAD><BODY><P>I don't have rights to your link <SPAN __jive_emoticon_name="confused" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/confused.gif"></SPAN></P></BODY></HTML> Wed, 15 Dec 2010 21:32:47 GMT jacob.dixon 2010-12-15T21:32:47Z https://community.cisco.com/t5/network-security/blocking-one-way-traffic-on-subinterface-vlans/m-p/1583528#M577825 <P>I seem to be having a problem wrapping my head around what is going on or what to do.</P><P></P><P>What I have is two subinterfaces:</P><P></P><P><SPAN style="color: #800000;">interface FastEthernet0/1.1<BR /> encapsulation dot1Q 10<BR /> ip address 10.10.2.254 255.255.255.0<BR /> ip access-group vlan10_in in<BR /> ip nat inside<BR /> ip virtual-reassembly<BR />!<BR />interface FastEthernet0/1.2<BR /> encapsulation dot1Q 20<BR /> ip address 10.10.3.254 255.255.255.0<BR /> ip nat inside<BR /> ip virtual-reassembly<BR />!</SPAN></P><P></P><P>Now what I am trying to do is block the 10.10.3.x network from accessing the 10.10.2.x network BUT I want the 10.10.2.x network to be able to access the 10.10.3.x network.</P><P></P><P>The access list I setup is:</P><P></P><P><SPAN style="color: #800000;">Extended IP access list vlan10_in<BR />&nbsp;&nbsp;&nbsp; 10 deny ip 10.10.2.0 0.0.0.255 10.10.3.0 0.0.0.255 log (7 matches)<BR />&nbsp;&nbsp;&nbsp; 20 permit ip any any log</SPAN></P><P></P><P>Now I setup logging to try to understand this better. When I try to PING from 10.10.3.x to 10.10.2.x I get:</P><P><SPAN style="color: #800000;">*Dec 15 18:30:34.553: %SEC-6-IPACCESSLOGDP: list vlan10_in denied icmp 10.10.2.100 -&gt; 10.10.3.100 (0/0), 1 packet</SPAN></P><P></P><P>But when I try from 10.10.2.x PING 10.10.3.x I get nothing. The ping actually shows a "Destination net unreachable".</P><P></P><P>I know my logic is wrong because its not working.. but I'm trying to understand this better.</P><P>Without this access-list/group everything works fine. Both networks can get to the NET and see each other.</P> Mon, 11 Mar 2019 19:22:45 GMT https://community.cisco.com/t5/network-security/blocking-one-way-traffic-on-subinterface-vlans/m-p/1583528#M577825 jacob.dixon 2019-03-11T19:22:45Z https://community.cisco.com/t5/network-security/blocking-one-way-traffic-on-subinterface-vlans/m-p/1583529#M577826 <HTML><HEAD></HEAD><BODY><P>Yes, your logic is incorrect.</P><P>The regular ACL could not fit your requirement.</P><P>You have to use IOS firewall feature to realize this.</P><P>Here is an example.</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml">http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml</A></P></BODY></HTML> Wed, 15 Dec 2010 21:05:20 GMT https://community.cisco.com/t5/network-security/blocking-one-way-traffic-on-subinterface-vlans/m-p/1583529#M577826 Yudong Wu 2010-12-15T21:05:20Z https://community.cisco.com/t5/network-security/blocking-one-way-traffic-on-subinterface-vlans/m-p/1583530#M577827 <HTML><HEAD></HEAD><BODY><P>I don't have rights to your link <SPAN __jive_emoticon_name="confused" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/confused.gif"></SPAN></P></BODY></HTML> Wed, 15 Dec 2010 21:32:47 GMT https://community.cisco.com/t5/network-security/blocking-one-way-traffic-on-subinterface-vlans/m-p/1583530#M577827 jacob.dixon 2010-12-15T21:32:47Z https://community.cisco.com/t5/network-security/blocking-one-way-traffic-on-subinterface-vlans/m-p/1583531#M577828 <HTML><HEAD></HEAD><BODY><P>Here is another one</P><P></P><P><A class="active_link" href="http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml">http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml</A></P><P></P><P>I hope it helps.</P><P></P><P>PK</P></BODY></HTML> Wed, 15 Dec 2010 22:27:47 GMT https://community.cisco.com/t5/network-security/blocking-one-way-traffic-on-subinterface-vlans/m-p/1583531#M577828 Panos Kampanakis 2010-12-15T22:27:47Z https://community.cisco.com/t5/network-security/blocking-one-way-traffic-on-subinterface-vlans/m-p/1583532#M577829 <HTML><HEAD></HEAD><BODY><P>pdf attached.</P></BODY></HTML> Wed, 15 Dec 2010 22:51:21 GMT https://community.cisco.com/t5/network-security/blocking-one-way-traffic-on-subinterface-vlans/m-p/1583532#M577829 Yudong Wu 2010-12-15T22:51:21Z