04-08-2011 04:07 PM - edited 03-04-2019 12:01 PM
Dear All,
I have 2 vlans in my network and i want vlan 27 (10.0.27.x/24) should not access vlan 10(10.0.10.x/24) with few servers to be access on vlan 10.
I configured following
ip access-list extended TEST
1 permit ip 10.0.27.0 0.0.0.255 host 10.0.10.5
2 permit ip host 10.0.27.6 10.0.10.0 0.0.0.255 ---> 10.0.27.6 being data router ip, please see below explanation
10 deny ip 10.0.27.0 0.0.0.255 10.0.0.10 0.0.0.255
20 permit ip 10.0.27.0 0.0.0.255 any --> for internet access
int vlan 27
ip access-group TEST in
I have a data-link router in vlan 27 (10.0.27.6 being ip address on data link router in vlan 27), which connects to another server (192.168.1.2/24). This server needs to be access by all vlans (27,10) Because of TEST acl on interface vlan27, i cannot access this server from vlan 10.
I have proper routing on data link router to reach server 192.168.1.2/24 from both vlans. If i remove the access-group TEST from interface vlan 27 both vlans can access server normally, but if i apply the TEST on interface vlan 27, users from vlan 10 cannot access server.
Traffic from vlan 10 can reach data link router (10.0.27.6) and then it drops the traffic with follwing error
000177: Apr 7 01:04:52: ICMP: dst (10.0.10.2) administratively prohibited unreachable sent to 192.168.1.2..
Find attached sample diagram.
Thanks & Regards
Ahmed..
Solved! Go to Solution.
04-08-2011 09:11 PM
HI Ahmed,
ACL at the VLAN level on the swith will be applied to any traffic that need to be routed. In your case, the switch will compare the following packet to the ACL:
S: 192.168.1.2
D: 10.0.10.2
As you can see it matches only the implicit deny any any which explains the message you see. You need to update your ACL with the following entry:
25 permit host 192.168.1.2 10.0.10.0 0.0.0.255
Also you don't need entry 2 unless you want to be able to ping anyone on 10.0.10.0 subnet from the router.
HTH
Laurent.
04-08-2011 09:11 PM
HI Ahmed,
ACL at the VLAN level on the swith will be applied to any traffic that need to be routed. In your case, the switch will compare the following packet to the ACL:
S: 192.168.1.2
D: 10.0.10.2
As you can see it matches only the implicit deny any any which explains the message you see. You need to update your ACL with the following entry:
25 permit host 192.168.1.2 10.0.10.0 0.0.0.255
Also you don't need entry 2 unless you want to be able to ping anyone on 10.0.10.0 subnet from the router.
HTH
Laurent.
04-09-2011 02:28 AM
thanks laurent,
I was considering that permit ip 10.0.7.0 0.0.0.255 any will match any packets,,, but missing that i also need to take care about return traffic as well, which is from 192.168.1.x network
Your observation seems valid, i will configure the ACE entry tommorow and will update you.
Regards
Ahmed..
04-10-2011 08:47 AM
Thanks Laurent it worked
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide