Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
249
Views
0
Helpful
1
Replies

Intra Vlan ACLS issues

mayer
Level 1
Level 1

‎02-09-2004 05:00 AM - edited ‎03-02-2019 01:27 PM

Hello my issue is regarding Intra-vlan ACL's. I have several vlans below in an example of what I am trying to set up using named lists. This is a 3550 EMI. I have tried several configurations regarding inbound and outbound applications to the vlan interface and I seem to get the same results that if a packet hits one rule it is allowing the traffic in both directions IE I just apply the permit tcp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 on the inbound direction and it allows all the traffic from both 10.8.20.0 and 10.8.16.228 both ways. I watch my counters and establish sessions both ways. So when I break up the acls to inbound and outbound I get hits on both groups but when I remove one group and the traffic still flows both ways. I want to be able to establish communications from may subnets back to the 10.8.20.0 but do not what that subnet establishing them back to the other subnets

Second question I have is since both of these vlans are on the same box and .1 is the interface of each they can see each others .1 address in effect also their subnet as well as vty access. How do I block in this case vlan601 from accessing vty or even being able to ping the interface of another connected vlan? I have tried using a host entry with the interface IP and that did not work either.

!

interface Vlan601

ip address 10.8.1.1 255.255.254.0

!

interface Vlan45

ip address 10.8.20.1 255.255.255.192

ip access-group Sin in

ip access-group Sout out

ip access-list extended Sin

permit icmp 10.8.20.0 0.0.0.63 10.8.8.248 0.0.0.7 log

permit icmp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 log

permit icmp 10.8.20.0 0.0.0.63 10.1.30.0 0.0.0.255 log

permit icmp 10.8.20.0 0.0.0.63 10.1.18.4 0.0.0.3 log

permit tcp 10.8.20.0 0.0.0.63 10.8.8.248 0.0.0.7 log

permit tcp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 log

permit tcp 10.8.20.0 0.0.0.63 10.1.30.0 0.0.0.255 log

permit tcp 10.8.20.0 0.0.0.63 10.1.18.4 0.0.0.3 log

deny icmp any any log

deny ip any any log-input

ip access-list extended Sout

permit icmp 10.8.8.240 0.0.0.7 10.8.20.0 0.0.0.63 log

permit icmp 10.8.16.248 0.0.0.7 10.8.20.0 0.0.0.63 log

permit icmp 10.1.30.0 0.0.0.255 10.8.20.0 0.0.0.63 log

permit icmp 10.1.8.4 0.0.0.3 10.8.20.0 0.0.0.63 log

permit tcp 10.8.8.248 0.0.0.7 10.8.20.0 0.0.0.63 log

permit tcp 10.8.16.248 0.0.0.7 10.8.20.0 0.0.0.63 log

permit tcp 10.1.30.0 0.0.0.255 10.8.20.0 0.0.0.63 log

permit tcp 10.1.18.4 0.0.0.3 10.8.20.0 0.0.0.63 log

deny icmp any any log

deny ip any any log-input

!

Thanks much

Brett

Labels:
0 Helpful
1 Reply 1

mayer
Level 1
Level 1

‎02-09-2004 05:29 AM

Another example is where I moved all the rules to a single inbound list and sent 4 pings on from each from the 8.20 .0 and the 1.30.0 and all 8 ended up on the same rule. I am confused as to if source and destination really mean anything in the ACL's as I have a one way deny right below it that never gets touched

Extended IP access list Sin

permit icmp 10.8.20.0 0.0.0.63 10.8.8.248 0.0.0.7 log-input

permit icmp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 log-input

permit icmp 10.8.20.0 0.0.0.63 10.1.30.0 0.0.0.255 log-input (8 matches)

deny icmp 10.1.30.0 0.0.0.255 10.8.20.0 0.0.0.63 log-input

permit icmp 10.8.20.0 0.0.0.63 10.1.18.4 0.0.0.3 log-input

permit tcp 10.8.20.0 0.0.0.63 10.8.8.248 0.0.0.7 log-input

permit tcp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 log-input

permit tcp 10.8.20.0 0.0.0.63 10.1.30.0 0.0.0.255 log-input

permit icmp 10.8.8.240 0.0.0.7 10.8.20.0 0.0.0.63 log-input

permit icmp 10.8.16.248 0.0.0.7 10.8.20.0 0.0.0.63 log-input

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card