02-09-2004 05:00 AM - edited 03-02-2019 01:27 PM
Hello my issue is regarding Intra-vlan ACL's. I have several vlans below in an example of what I am trying to set up using named lists. This is a 3550 EMI. I have tried several configurations regarding inbound and outbound applications to the vlan interface and I seem to get the same results that if a packet hits one rule it is allowing the traffic in both directions IE I just apply the permit tcp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 on the inbound direction and it allows all the traffic from both 10.8.20.0 and 10.8.16.228 both ways. I watch my counters and establish sessions both ways. So when I break up the acls to inbound and outbound I get hits on both groups but when I remove one group and the traffic still flows both ways. I want to be able to establish communications from may subnets back to the 10.8.20.0 but do not what that subnet establishing them back to the other subnets
Second question I have is since both of these vlans are on the same box and .1 is the interface of each they can see each others .1 address in effect also their subnet as well as vty access. How do I block in this case vlan601 from accessing vty or even being able to ping the interface of another connected vlan? I have tried using a host entry with the interface IP and that did not work either.
!
interface Vlan601
ip address 10.8.1.1 255.255.254.0
!
interface Vlan45
ip address 10.8.20.1 255.255.255.192
ip access-group Sin in
ip access-group Sout out
ip access-list extended Sin
permit icmp 10.8.20.0 0.0.0.63 10.8.8.248 0.0.0.7 log
permit icmp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 log
permit icmp 10.8.20.0 0.0.0.63 10.1.30.0 0.0.0.255 log
permit icmp 10.8.20.0 0.0.0.63 10.1.18.4 0.0.0.3 log
permit tcp 10.8.20.0 0.0.0.63 10.8.8.248 0.0.0.7 log
permit tcp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 log
permit tcp 10.8.20.0 0.0.0.63 10.1.30.0 0.0.0.255 log
permit tcp 10.8.20.0 0.0.0.63 10.1.18.4 0.0.0.3 log
deny icmp any any log
deny ip any any log-input
ip access-list extended Sout
permit icmp 10.8.8.240 0.0.0.7 10.8.20.0 0.0.0.63 log
permit icmp 10.8.16.248 0.0.0.7 10.8.20.0 0.0.0.63 log
permit icmp 10.1.30.0 0.0.0.255 10.8.20.0 0.0.0.63 log
permit icmp 10.1.8.4 0.0.0.3 10.8.20.0 0.0.0.63 log
permit tcp 10.8.8.248 0.0.0.7 10.8.20.0 0.0.0.63 log
permit tcp 10.8.16.248 0.0.0.7 10.8.20.0 0.0.0.63 log
permit tcp 10.1.30.0 0.0.0.255 10.8.20.0 0.0.0.63 log
permit tcp 10.1.18.4 0.0.0.3 10.8.20.0 0.0.0.63 log
deny icmp any any log
deny ip any any log-input
!
Thanks much
Brett
02-09-2004 05:29 AM
Another example is where I moved all the rules to a single inbound list and sent 4 pings on from each from the 8.20 .0 and the 1.30.0 and all 8 ended up on the same rule. I am confused as to if source and destination really mean anything in the ACL's as I have a one way deny right below it that never gets touched
Extended IP access list Sin
permit icmp 10.8.20.0 0.0.0.63 10.8.8.248 0.0.0.7 log-input
permit icmp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 log-input
permit icmp 10.8.20.0 0.0.0.63 10.1.30.0 0.0.0.255 log-input (8 matches)
deny icmp 10.1.30.0 0.0.0.255 10.8.20.0 0.0.0.63 log-input
permit icmp 10.8.20.0 0.0.0.63 10.1.18.4 0.0.0.3 log-input
permit tcp 10.8.20.0 0.0.0.63 10.8.8.248 0.0.0.7 log-input
permit tcp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 log-input
permit tcp 10.8.20.0 0.0.0.63 10.1.30.0 0.0.0.255 log-input
permit icmp 10.8.8.240 0.0.0.7 10.8.20.0 0.0.0.63 log-input
permit icmp 10.8.16.248 0.0.0.7 10.8.20.0 0.0.0.63 log-input
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide