Solved: Re: ACL between VLANs...

ahmed.gadi · ‎04-08-2011

Dear All,

I have 2 vlans in my network and i want vlan 27 (10.0.27.x/24) should not access vlan 10(10.0.10.x/24) with few servers to be access on vlan 10.

I configured following

ip access-list extended TEST

1 permit ip 10.0.27.0 0.0.0.255 host 10.0.10.5

2 permit ip host 10.0.27.6 10.0.10.0 0.0.0.255 ---> 10.0.27.6 being data router ip, please see below explanation

10 deny ip 10.0.27.0 0.0.0.255 10.0.0.10 0.0.0.255

20 permit ip 10.0.27.0 0.0.0.255 any --> for internet access

int vlan 27

ip access-group TEST in

I have a data-link router in vlan 27 (10.0.27.6 being ip address on data link router in vlan 27), which connects to another server (192.168.1.2/24). This server needs to be access by all vlans (27,10) Because of TEST acl on interface vlan27, i cannot access this server from vlan 10.

I have proper routing on data link router to reach server 192.168.1.2/24 from both vlans. If i remove the access-group TEST from interface vlan 27 both vlans can access server normally, but if i apply the TEST on interface vlan 27, users from vlan 10 cannot access server.

Traffic from vlan 10 can reach data link router (10.0.27.6) and then it drops the traffic with follwing error

000177: Apr 7 01:04:52: ICMP: dst (10.0.10.2) administratively prohibited unreachable sent to 192.168.1.2..

Find attached sample diagram.

Thanks & Regards

Ahmed..

Laurent Aubert · ‎04-08-2011

HI Ahmed,

ACL at the VLAN level on the swith will be applied to any traffic that need to be routed. In your case, the switch will compare the following packet to the ACL:

S: 192.168.1.2

D: 10.0.10.2

As you can see it matches only the implicit deny any any which explains the message you see. You need to update your ACL with the following entry:

25 permit host 192.168.1.2 10.0.10.0 0.0.0.255

Also you don't need entry 2 unless you want to be able to ping anyone on 10.0.10.0 subnet from the router.

HTH

Laurent.

View solution in original post

Laurent Aubert · ‎04-08-2011

HI Ahmed,

ACL at the VLAN level on the swith will be applied to any traffic that need to be routed. In your case, the switch will compare the following packet to the ACL:

S: 192.168.1.2

D: 10.0.10.2

As you can see it matches only the implicit deny any any which explains the message you see. You need to update your ACL with the following entry:

25 permit host 192.168.1.2 10.0.10.0 0.0.0.255

Also you don't need entry 2 unless you want to be able to ping anyone on 10.0.10.0 subnet from the router.

HTH

Laurent.

ahmed.gadi · ‎04-09-2011

thanks laurent,

I was considering that permit ip 10.0.7.0 0.0.0.255 any will match any packets,,, but missing that i also need to take care about return traffic as well, which is from 192.168.1.x network

Your observation seems valid, i will configure the ACE entry tommorow and will update you.

Regards

Ahmed..

ahmed.gadi · ‎04-10-2011

Thanks Laurent it worked