Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
397
Views
0
Helpful
11
Replies

access-list not work

sakdavin
Level 1
Level 1

‎02-11-2005 09:01 PM - edited ‎03-02-2019 09:37 PM

Hello,

I have one L3 Cat. 3550 Switch. Currently, I configed Inter-Vlan Routing and create two VLANs( VLAN 50,60) on the switch.

- VLAN50: 192.168.1.1/24

- VLAN60: 172.16.1.1/24

The clients on both vlans can access each other.

The question is I would like to permorm access-list by clients on network 192.168.1.0 cannot(deny) access to network 172.16.1.0 but network 172.16.1.0 can access to 192.168.1.0 network .

Thanks in advance.

Warmest Regards,

Sakdavin

Labels:
0 Helpful
11 Replies 11

sevans1979
Level 4
Level 4

‎02-11-2005 10:20 PM

This is just a stab in the dark, but you can try the following.

For the access-list to deny the hosts on network 192.168.1.0 access to the 172.16.1.0 network try the following

access-list 101 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 101 permit ip any any

You can set this access-list on the VLAN60 interface I belive.

The command for enabling this on the VLAN60 interface would be.

ip access-group 101 in

Again, I could be wrong, I have never worked on a L3 Cat 3550. This is just my thoughts on a way to try it.

Hope this helps, if it does dont forget to rate the post

Scott

0 Helpful

glen.grant
VIP Alumni
VIP Alumni
In response to sevans1979

‎02-12-2005 04:32 AM

this looks ok but it should be on vlan 50 with ip access-group 101 in .

0 Helpful

sevans1979
Level 4
Level 4
In response to glen.grant

‎02-12-2005 11:10 AM

Yep, your right Glen. Should be "in" on Vlan 50, my fault.

At least I was close to right :)

Thanks for clearing that up

Scott

0 Helpful

sakdavin
Level 1
Level 1
In response to sevans1979

‎02-13-2005 07:40 PM

Hello,

I followed the above steps but it seems deny the two networks. Meaning that after I perform the access-list the two networks couldnot access each other.Below is the access-list I used:

* access-list 101 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

* access-list 101 permit ip any any

* Interface vlan 50

ip access-group 101 in

So please help me on this issue.

Thanks in advance

Sakdavin

0 Helpful

frennzy
Level 1
Level 1
In response to sakdavin

‎02-14-2005 07:42 AM

You are blocking everything inbound...including ACKs that you would want to pass, for the traffic in the opposite direction to work properly.

Since ACLS use a 'deny ip any any' implicitly at the end, why not take advantage of that fact?

access-list 101 permit tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 est

This should allow return traffic for any established (ing)session, but the implicit deny will block any unsolicited traffic inbound.

0 Helpful

amikat
Level 7
Level 7
In response to sakdavin

‎02-14-2005 08:36 AM

Hi Sakdavin,

I am sorry to say that you cannot succeed with the approach like this. With your configuration you are blocking both directions (either messages or responses). Standard approach might be to use reflexive ACL which, to my knowledge, are not supported in Cat3550 platform.

So feasible approach may be just to control tcp traffic using "established" parameter and either block udp or do not worry about it.

So your configuration may sound like this:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 established

access-list 101 deny tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 101 permit ip any any

interface vlan 60

ip access-group 101 in

This will allow udp. Should you like to block it, just add one more statement.

You should also consider to take care about fragment control.

Best regards,

Antonin

0 Helpful

sakdavin
Level 1
Level 1
In response to amikat

‎02-14-2005 07:10 PM

Hello,

Thanks for your reply.But it still does not work.

I would like to brief what I am going to do:

The requirment is only to block all clients in VLAN50:192.168.1.1/24 access to VLAN60: 172.16.1.1/24 and clients on VLAN60 can access to VLAN50

I am not so good and very new at access-list, so please kindly check my configuration in the attached file and give me more advice as much as you can.

Thanks in advances.

Sakdavin

Preview file
5 KB
0 Helpful

amikat
Level 7
Level 7
In response to sakdavin

‎02-15-2005 10:09 AM

Hi Sakdavin,

Sorry for the delayed answer. I was travelling whole day (as usual).

Your access-list denies all ip traffic from vlan 50 to vlan 60 in the first line. I cannot remember I have specified my suggestion like this. Just leave the first line out, please.

Now let us make sure we both understand what this acl should do. It will allow all ip traffic going to vlan 60 with the exception of tcp traffic originated in vlan 50. Please understand that this concerns only tcp, ie. you cannot test this filter by ping (icmp NOT tcp) - ping should work both ways, also udp etc.

Please let me know if this works as expected.

I am happy to help you further if necessary, you can even send me e-mail, just please be aware I am travelling havily without the Internet access most of the days.

Best regards,

Antonin

0 Helpful

sakdavin
Level 1
Level 1
In response to amikat

‎02-16-2005 08:46 PM

Hello all,

I have tried many time to add the above access-list, but it still does not work. Maybe wrong somewhere else.

Could anybody help by giving me some sample access-list and its description that match my case above.

Thank you in advance.

Sakdavin

0 Helpful

amikat
Level 7
Level 7
In response to sakdavin

‎02-17-2005 05:39 AM

Hi Sakdavin,

Thanks for droping me e-mail. Since you posted your reply here I prefer to answer here as well.

First of all let us clear basic confusions.

I have noticed that in your configuration you have used different network addresses than int your vlan assignment.

So provided your int vlan 50 address is 192.168.1.1/24 and your int vlan 60 address is 172.16.1.1/24 the access list should read like this:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 (this will allow return tcp traffic originated in vlan60)

access-list 101 deny tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 (this will deny tcp traffic originated in vlan 50 targeted to vlan 60)

access-list 101 permit ip any any (this will allow all the rest of ip traffic),

int vlan 50 (I put 60 by mistake - sorry about that)

ip access-group 101 in.

That is all and should work. You can test by telnet (tcp port 23), ssh (tcp port 22) or perhaps http (tcp port 80).

Now things may be further complicated. Some higher level protocols need special care. Let us take ftp as an example. Most original implementations use control channel (this would be OK as for this ACL) and data channel originated from opposite end which will be blocked by this ACL.

So will you please try again with the double check of address assignment and if this does not work as expected, let me know more about yor application and also what exactly you are experiencing (ie. nothing is filtered or everything is filtered or anything else).

Sorry again about my mistake.

Best regards,

Antonin

0 Helpful

amikat
Level 7
Level 7
In response to amikat

‎02-17-2005 05:42 AM

Hi,

I noticed that I missed "established" keyword in the first line of access-list 101, ie. it should read:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 established.

Sorry about that.

Best regards,

Antonin

0 Helpful
Customers Also Viewed These Support Documents