Re: VLAN ACLs

rmv72 · ‎06-27-2005

I've Catalyst 3750G

System image file is "flash:c3750-i9-mz.121.11-AX/c3750-i9-mz.121.11-AX.bin"

I want to filter traffic between VLANs.

First i created ACL 100 which allow all with logging but i couldn't see traffic between VLANs. Why?

!

interface Vlan10

ip address 10.20.0.16 255.255.252.0

!

interface Vlan20

ip address 10.10.3.254 255.255.252.0

ip access-group 100 in

!

access-list 100 permit ip any any log

From Syslog-

un 28 06:29:50.649: %SEC-6-IPACCESSLOGP: list 100 permitted udp 10.10.0.8(0) -> 10.10.3.255(0), 3 packets

Jun 28 06:31:34.811: %SEC-6-IPACCESSLOGP: list 100 permitted udp 10.10.0.242(0) -> 10.10.3.254(0), 1 packet

Jun 28 06:31:50.702: %SEC-6-IPACCESSLOGP: list 100 permitted udp 10.10.0.11(0) -> 10.10.3.255(0), 1 packet

Jun 28 06:33:50.755: %SEC-6-IPACCESSLOGP: list 100 permitted udp 10.10.0.7(0) -> 10.10.3.255(0), 1 packet

Jun 28 06:34:17.404: %SEC-6-IPACCESSLOGP: list 100 permitted udp 10.10.0.6(0) -> 10.10.3.255(0), 1 packet

Jun 28 06:34:50.782: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 10.10.0.228(0) -> 10.10.3.254(0), 20 pac

sdoremus33 · ‎06-27-2005

Add an ISL link between VLAN's

rmv72 · ‎06-27-2005

Do you mean i have to place router?

But i've already had interVLAN routing ( clients from VLAN 10 can communicate with clients from VLAN20).

C:\>tracert 10.10.0.5

Tracing route to 10.10.0.5 over a maximum of 30 hops

1 1 ms <1 ms <1 ms 10.20.0.16

2 <1 ms <1 ms <1 ms 10.10.0.5

Trace complete.

Georg Pauwen · ‎06-27-2005

Hello,

can you try and apply the access list in the outbound direction as well ?

Regards,

GP

rmv72 · ‎06-27-2005

i did it - nothing logged.