Solved: Re: ACL on traditional inter-Vlan

Thedentist · ‎05-28-2019

Hi guys,

I have doubts about ACL and inter-Vlan.

i tried to create a simple two VLAN (10 and 99) and a traditional inter-Vlan between them.

All working correctly , until a place an ACL.

I tried to create an access list in this way for block icmp traffic from Vlan10 to Vlan 99.

#ip access-list extended pr 

deny icmp 151.0.40.0 0.0.0.255 151.0.99.0 0.0.0.255 
permit ip any any 

int Vlan10
#ip access-group pr in

in this way PING not working (is correct) between Vlan10 and Vlan 99. But i tried to do the same from Vlan99 to Vlan 10 and PING give a timeout, but should work.

So I thought... If I block a traffic between one Vlan to other, I block traffic in both directions?

Because I see that Vlan 99 ping correctly the Vlan 10, but when send the reply maybe the access list block (because pass on same port) and in same direction ( Inbound).... where I'm wrong?

I think my problem is ACL, because Inter-Vlan is very simple and before ACL ping correctily from Vlan 10 to Vlan 99 and from Vlan 99 to Vlan 10

It' s possible block just traffic in one direction? I can't understand this reasoning. I had also tried to insert a few lines first in ACL to try to allow, but in the end I didn't find a correct choice.

Giuseppe Larosa · ‎05-28-2019

Hello TheDentist,

extended ACLs allow to match specific type of ICMP messages

for example if your ACL becomes

access-list extended TEST

permit icmp 151.0.40.0 0.0.0.255 151.0.99.0 0.0.0.255 echo-replay

deny icmp 151.0.40.0 0.0.0.255 151.0.99.0 0.0.0.255

permit ip any any

You can match on icmp echo-request or icmp echo-reply if you want to have an asymmetric scenario.

The ping sender uses echo-request, the receiver answers with an echo-reply.

(note the echo-request may be named simply echo in the IOS commands for ACL)

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-28-2019