cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

212
Views
5
Helpful
1
Replies
Highlighted
Beginner

ACL on traditional inter-Vlan

Hi guys,

I have doubts about ACL and inter-Vlan. 

i tried to create a simple two VLAN (10 and 99) and a traditional inter-Vlan between them. 

 

All working correctly , until a place an ACL.

I tried to create an access list in this way for block icmp traffic from Vlan10 to Vlan 99.

 

#ip access-list extended pr 

deny icmp 151.0.40.0 0.0.0.255 151.0.99.0 0.0.0.255 
permit ip any any 

int Vlan10
#ip access-group pr in 

in this way PING not working (is correct)  between Vlan10 and Vlan 99. But i tried to do the same from Vlan99 to Vlan 10 and PING give a timeout, but should work.

 

So I thought... If I block a traffic between one Vlan to other, I block traffic in both directions?

Because I see that Vlan 99 ping correctly the Vlan 10, but when send the reply maybe the access list block (because pass on same port) and in same direction ( Inbound).... where I'm wrong?

I think my problem is ACL, because Inter-Vlan is very simple and before ACL ping correctily from Vlan 10 to Vlan 99 and from Vlan 99 to Vlan 10

 

It' s possible block just traffic in one direction? I can't understand this reasoning. I had also tried to insert a few lines first in ACL to try to allow, but in the end I didn't find a correct choice.

 

 

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Expert

Re: ACL on traditional inter-Vlan

Hello TheDentist,

extended ACLs allow to match specific type of ICMP messages

for example if your ACL becomes

access-list extended TEST

permit icmp 151.0.40.0 0.0.0.255 151.0.99.0 0.0.0.255 echo-replay

deny icmp 151.0.40.0 0.0.0.255 151.0.99.0 0.0.0.255

permit ip any any

 

You can match on icmp echo-request or icmp echo-reply if you want to have an asymmetric scenario.

 

The ping sender uses echo-request, the receiver answers with an echo-reply.

(note the echo-request may be named simply echo in the IOS commands for ACL)

 

Hope to help

Giuseppe

 

View solution in original post

1 REPLY 1
Hall of Fame Expert

Re: ACL on traditional inter-Vlan

Hello TheDentist,

extended ACLs allow to match specific type of ICMP messages

for example if your ACL becomes

access-list extended TEST

permit icmp 151.0.40.0 0.0.0.255 151.0.99.0 0.0.0.255 echo-replay

deny icmp 151.0.40.0 0.0.0.255 151.0.99.0 0.0.0.255

permit ip any any

 

You can match on icmp echo-request or icmp echo-reply if you want to have an asymmetric scenario.

 

The ping sender uses echo-request, the receiver answers with an echo-reply.

(note the echo-request may be named simply echo in the IOS commands for ACL)

 

Hope to help

Giuseppe

 

View solution in original post

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here