Solved: Confused with ACL issue!

rodonohu1 · ‎01-24-2007

Hi guys,

Ok, my problem is that i've created a VLAN just for testing server. I set this up and assign a static ip to my server. I only want my server to be able to access our proxy server to get out to the internet to pull down updates\etc. I've setup the ACLS As follows:

VLAN:

interface Vlan13

description VLAN 13 SERVER BUILD VLAN 172.17.13.0/24

ip address 172.17.13.3 255.255.255.0

ip access-group 114 in

ip access-group Server_Build_ACL out

no ip redirects

ip pim sparse-dense-mode

ip cgmp

standby ip 172.17.13.1

standby priority 110

standby preempt

ACL on switch:

ip access-list extended Server_Build_ACL

permit ip 172.17.13.0 0.0.0.255 host 192.168.176.132

permit icmp 172.17.13.0 0.0.0.255 host 192.168.176.132

ACL#2;

access-list 114 permit ip host 192.168.176.132 172.17.13.0 0.0.0.255

access-list 114 permit icmp any any

From the server, I can ping the 172.17.13.1 VLAN gateway but not the proxy server address.

From the router next to the proxy server i can ping the 172.17.13.1 address but i get an unreachable for a static server address?

Any ideas?

Jon Marshall · ‎01-24-2007

Hi Robert

It's to do with the virtualisation on a layer 3 switch and the traffic direction.

Traffic coming into the Vlan 13 interface will be traffic from servers on vlan13 going out.

Traffic going out on vlan13 will be traffic coming from outside destined for servers on vlan13. With a layer 3 switch this traffic will be coming in on a different vlan interface all together. ie

if you have a client vlan 100 on same switch when a client talks to vlan 13 the client traffic will be coming in on vlan100 and out on vlan13.

If a server on vlan13 talks to a client on vlan100 traffic will be comiing in on vlan13 and out on vlan100.

Hope i've explained this clearly

Jon

View solution in original post

Jon Marshall · ‎01-24-2007

Hi

Can you just clarify. What is the address of the test server and what is the proxy server address.

if the test server address is from the 172.17.13.x subnet range (vlan 13) and your proxy server is 192.168.176.132 then it looks to me as though your access-list lists are applied the wrong way round ie:

114 should be out

Server_Build_ACL should be in.

HTH

rodonohu1 · ‎01-24-2007

Hi Jon,

This has done the trick. but i'm still confused as to why. The 114 ACL was set to in to allow traffic from the Proxy (192.168.x.x) into the VLAN13. And the other set to out, to allow vlan 13 traffice out to the Proxy. I need a refresher on ACL's as it seems to work opposite at to how you'd expect.

Jon Marshall · ‎01-24-2007