05-28-2019 01:51 AM
Hi guys,
I have doubts about ACL and inter-Vlan.
i tried to create a simple two VLAN (10 and 99) and a traditional inter-Vlan between them.
All working correctly , until a place an ACL.
I tried to create an access list in this way for block icmp traffic from Vlan10 to Vlan 99.
#ip access-list extended pr deny icmp 151.0.40.0 0.0.0.255 151.0.99.0 0.0.0.255 permit ip any any int Vlan10 #ip access-group pr in
in this way PING not working (is correct) between Vlan10 and Vlan 99. But i tried to do the same from Vlan99 to Vlan 10 and PING give a timeout, but should work.
So I thought... If I block a traffic between one Vlan to other, I block traffic in both directions?
Because I see that Vlan 99 ping correctly the Vlan 10, but when send the reply maybe the access list block (because pass on same port) and in same direction ( Inbound).... where I'm wrong?
I think my problem is ACL, because Inter-Vlan is very simple and before ACL ping correctily from Vlan 10 to Vlan 99 and from Vlan 99 to Vlan 10
It' s possible block just traffic in one direction? I can't understand this reasoning. I had also tried to insert a few lines first in ACL to try to allow, but in the end I didn't find a correct choice.
Solved! Go to Solution.
05-28-2019 02:02 AM - edited 05-28-2019 02:03 AM
Hello TheDentist,
extended ACLs allow to match specific type of ICMP messages
for example if your ACL becomes
access-list extended TEST
permit icmp 151.0.40.0 0.0.0.255 151.0.99.0 0.0.0.255 echo-replay
deny icmp 151.0.40.0 0.0.0.255 151.0.99.0 0.0.0.255
permit ip any any
You can match on icmp echo-request or icmp echo-reply if you want to have an asymmetric scenario.
The ping sender uses echo-request, the receiver answers with an echo-reply.
(note the echo-request may be named simply echo in the IOS commands for ACL)
Hope to help
Giuseppe
05-28-2019 02:02 AM - edited 05-28-2019 02:03 AM
Hello TheDentist,
extended ACLs allow to match specific type of ICMP messages
for example if your ACL becomes
access-list extended TEST
permit icmp 151.0.40.0 0.0.0.255 151.0.99.0 0.0.0.255 echo-replay
deny icmp 151.0.40.0 0.0.0.255 151.0.99.0 0.0.0.255
permit ip any any
You can match on icmp echo-request or icmp echo-reply if you want to have an asymmetric scenario.
The ping sender uses echo-request, the receiver answers with an echo-reply.
(note the echo-request may be named simply echo in the IOS commands for ACL)
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide